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PREFACE 

This  handbook,  Design  for  Reliability  is  the  first  in  a series  of  five  on 
reliability.  The  series  is  directed  largely  toward  the  working  engineers  who 
have  the  responsibility  for  creating  and  producing  equipment  and  systems 
which  can  be  relied  upon  by  the  users  in  the  field. 

The  five  handbooks  are: 

1.  Design  for  Reliability,  AMCP  706-196 

2.  Reliability  Prediction,  AMCP  706-197 

3.  Reliability  Measurement,  AMCP  706-198 

4.  Contracting  for  Reliability,  AMCP  7 06-1 99 

5.  Mathematical  Appendix  and  Glossary,  AMCP  706-200. 

This  handbook  is  directed  toward  reliability7  engineers  who  need  to  be 
familiar  with  the  mathematical-probabilistic-statistical  techniques  for  pre- 
dicting the  reliability7  of  v arious  configurations  of  hardware.  The  material  in 
standard  textbooks  is  not  repeated  here;  the  important  points  are  summa- 
rized, and  references  are  given  to  the  standard  works. 

The  majority  of  the  handbook  content  was  obtained  from  many  indi- 
viduals, reports,  journals,  books,  and  other  literature.  It  is  impractical  here  to 
acknowledge  the  assistance  of  every  one  who  made  a contribution, 

The  original  volume  was  prepared  by  Tracor  Jitco,  Inc.  Thu  revision  was 
prepared  by  Dr.  Ralph  A.  Evans  of  Evans  Associates,  Durham,  N.C.,  for  the 
Engineering  Handbook  Office  of  the  Research  Triangle  Institute,  prime  con- 
tractor to  the  US  Army  Materiel  Command.  Technical  guidance  and  coordi- 
nation on  the  original  draft  were  provided  by  a committee  under  the  direc- 
tion of  Mr.  O.  P.  Bruno,  US  Army  Materiel  Systems  Analysis  Agency,  US 
Army  Materiel  Command. 

The  Engineering  Design  Handbooks  fall  into  two  basic  categories,  those 
approved  for  release  and  sale,  and  those  classified  for  security7  reasons.  The 
US  Army  Materiel  Command  policy  is  to  release  these  Engineering  Design 
Handbooks  in  accordance  with  current  DOD  Directive  7230.7,  dated  18 
September  1973.  All  unclassified  handbooks  can  be  obtained  from  the 
National  Technical  Information  Service  (NTIS).  Procedures  for  acquiring 
these  handbooks  follow: 

a.  All  Department  of  Army  activities  having  need  for  the  handbooks 
must  submit  their  request  on  an  official  requisition  form  (DA  Form  17, 
dated  Jan  70)  directly  to: 

Commander 

Letterkenny  Army  Depot 
ATTN:  AMXLE-ATD 
Chambersburg,  PA  17201 

(Requests  for  classified  documents  must  be  submitted,  with  appropriate 
“Need  to  Know”  justification,  to  Letterkenny  Army  Depot,)  DA  activities 
will  not  requisition  handbooks  for  further  free  distribution. 
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b.  AH  other  requestors,  DOD,  Navy,  Air  Force,  Marine  Corps,  non- 
military Government  agencies,  contractors,  private  industry,  individuals, 
universities,  and  others  must  purchase  these  handbooks  from: 

National  technical  Information  Service 
Department  of  Commerce 
Springfield.  VA  22151 

Classified  documents  may  be  released  on  a "Need  to  Know"  basis  verified  by 
an  official  Department  of  Army  representative  and  processed  from'Defense 
Documentation  Center  (DDC),  ATTN:  DDC-TSR,  Cameron  Station, 
Alexandria,  VA  22314. 

Comments  and  suggestions  on  this  handbook  are  welcome  and  should  be 
addressed  to: 

Commander 

US  Army  Materiel  Development  and  Readiness  Command 
Alexandria,  VA  22333 

(DA  Forms  2028,  Recommended  Changes  to  Publications,  which  are  avail- 
able through  normal  publications  supply  channels,  may  be  used  for  com- 
ments/suggestions. ) 
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CHAPTER  I INTRODUCTION 


1-0  LIST  OF  SYMBOLS 

A = availability 

MTBF  = mean  time  between  failures,  time"1 
MTTR  = mean  time  to  repair,  time  _1 

I,  II  = subscripts  to  indicate  systems  I,  II 

1-1  GENERAL 

Reliability  engineering  is  the  doing  of 
those  things  which  insure  that  an  item  will 
perform  its  mission  successfully.  The  pres- 
sures and  constraints  on  engineers  to  produce 
equipment  and  systems  at  minimum  cost  w ith 
maximum  utility  in  minimum  time  have  been 
very  severe.  Thus  arose  the  original  discipline 
of  reliability'  which  has  two  parts: 

(1)  Paying  attention  to  detail 

(2)  Handling  uncertainties. 

As  engineers  and  administrators  became  more 
adept  at  quantifying  the  effort  to  produce 
equipment  and  systems  that  could  be  relied 
upon,  classification  schemes  for  this  effort 
were  developed.  Under  such  schemes,  the 
word  “reliability”  has  several  meanings,  all  re- 
lated to  the  dictionary,  but  some  of  them 
rather  narrow  and  specific. 

The  traditional  narrow  definition  of  s-re- 
liability  (Ref.  3,  Version  A)  is  “the  probabil- 
ity that  an  item  will  perform  its  intended 
function  for  a specific  interval  under  stated 
conditions”.  In  reliability  calculations,  the 
following  extended  definition  is  more  often 
actually  used : 

s-Reliability  is  the  probability  that  the 
item  successfully  completes  its  mis- 
sion, given  that  the  item  was  in  proper 
condition  at  the  mission  beginning. 

The  convention  adopted  in  all  Parts  of 
this  series  is  to  use  “s-”  followed  by  the  word 
when  the  term  is  used  in  a specially  defined 
statistical  sense— e.g.,  s-reliability,  s-normal, 
s-availability  ,s-confidence. 

This  concept  of  s-reliability  is  applicable 


largely  to  items  which  have  simple  missions, 
e.g.,  equipment,  simple  vehicles,  or  compo- 
nents cf  systems.  For  large  complex  sys- 
tems—e.g.,  an  antiaircraft  system  (including 
the  radars  and  weapons),  a squadron  of  tanks, 
car  a large  communication  network — it  is  more 
appropriate  to  use  more  sophisticated  con- 
cepts such  as  system  effectiveness  to  describe 
the  worth  of  a system 

The  reliability  engineer  must  do  more 
than  merely  collect  data  and  perform  actuar- 
ial services  during  the  design,  development, 
and  field  use  of  equipment.  He  must  be  sensi- 
tive to  the  countless  decisions  made  during 
the  evolution  of  a product,  and  he  must  assist 
in  making  these  decisions.  The  reliability  engi- 
neer has  a responsibility  to  build  specific 
amounts  of  longevity  into  equipment.  He 
must  be  able  to  trade  off  the  reliability 
parameters  against  the  many  other  important 
parameters  such  as  cost,  weight,  size,  and 
scheduling.  Great  emphasis  is  placed  on  fail- 
ures whose  cause  can  be  eliminated.  Reliabil- 
ity mathematics  must  reflect  the  engineering 
search  for  causes  of  failure  and  the  adequacy 
of  their  elimination.  It  must  permit  s-reliabil- 
ity prediction  from  the  planning  phase 
through  the  field-use  phase  to  assure  that  fail- 
ure probability  does  not  exceed  a pennissible 
bound.  s-Reliability  is  a quantitative  probabil- 
istic factor,  which  must  be  predictable  in 
design,  measurable  in  tests,  assurable  in  pro- 
duction, and  maintainable  in  the  field.  In 
short,  it  must  be  controllable  throughout  the 
life  cycle  of  the  product.  Other  system  char- 
acteristics, such  as  maintainability  and  safety, 
also  affect  the  mission-performing  equipment 
and  its  related  subsystems,  including  mainte- 
nance and  support  equipment,  checkout  and 
servicing,  repair  parts  provisioning,  and  actual 
repair  functions.  Thus,  reliability  and  other 
design  considerations  provide  the  basis  for 
developing  adequate  systems  which  conform 
to  mission  objectives  and  requirements.  This 
overall  program  is  called  system  engineering. 
The  purpose  of  this  chapter  is  to  provide  a 
general  understanding  of  system  engineering 
and  of  reliability  trade-offs  with  maintain- 
ability, safety,  and  performance. 


1-1 


AMCP  706-196 


1-2  SYSTEM  ENGINEERING 

In  recent  years,  the  word  system  has 
come  to  include: 

(1)  The  prime  mission  equipment 

(2)  The  facilities  required  for  operation 
and  maintenance 

(3)  The  selection  and  training  of  per- 
sonnel 

(4)  Operational  and  maintenance  pro- 
cedures 

(5)  Instrumentation  and  data  reduction 
for  test  and  evaluation 

(6)  Special  activation  and  acceptance 
programs 

(7)  Logistic  support  programs. 

Specifically,  a system  is  defined  (Ref.  1,  Ver- 
sion A)  as:  “A  composite,  at  any  level  of  com- 
plexity, of  operational  and  support  equip- 
ment , personnel,  facilities,  and  software 
which  are  used  together  as  an  entity  and  ca- 
pable of  performing  and  supporting  an  opera- 
tional role”. 

System  engineering  (Ref.  2)  is  the  appli- 
cation of  scientific,  engineering,  and  manage- 
ment effort  to: 

(1)  Transform  an  operational  need  into  a 
description  of  system  performance  parameters 
and  a system  configuration  through  the  use  of 
an  iterative  process  of  definition,  synthesis, 
analysis,  design,  test,  and  evaluation 

(2)  Integrate  related  technical  param- 
eters and  assure  compatibility  of  all  physical, 
functional,  and  program  interfaces  in  a 
manner  that  optimizes  the  total  system  design 

(3)  Integrate  reliability,  maintainability, 
safety,  survivability  (including  electronic  war- 
fare considerations),  human  factors,  and  other 
factors  into  the  total  engineering  effort. 

From  the  system  management  viewpoint, 
system  engineering  is  but  one  of  five  major 
activities  required  to  develop  a system  from 
the  initial,  conceptual  phase  through  the  sub- 
sequent contract  definition,  engineering  de- 
velopment, production,  and  operational 
phases.  These  five  activities  (procurement  and 
production,  program  control,  configuration 
management,  system  engineering,  and  test  and 
deployment  management),  their  general  func- 
tions within  each  of  the  system  evolutionary 


phases,  and  their  relationships  to  one  another 
are  summarized  in  Fig.  1-1.  More  details  on 
system  management  are  given  in  Ref.  8. 

System  engineering  consists  of  four  steps 
in  an  interacting  cycle  (Fig.  1-2).  Step  1 con- 
siders threat  forecast  studies,  doctrinal 
studies,  probable  Army  tasks,  and  similar 
sources  of  desired  materiel  and  system  objec- 
tives; then  it  translates  t^jem  into  basic  func- 
tional requirements  or  statements  of  opera- 
tion. The  usual  result  of  Step  1 is  a set  of 
block  diagrams  showing  basic  functional 
operations  and  their  relative  sequences  and  re- 
lationships. Even  though  hardware  may  help 
shape  the  basic  system  design,  it  is  not  specifi- 
cally included  in  Step  l.Step  lis  intended  to 
form  a first  hypothesis  as  a start  tow'ard  the 
eventual  solution. 

In  Step  2,  the  first  hypothesis  is  evalu- 
ated against  constraints  such  as  design,  cost, 
and  time  and  against  specific  mission  objec- 
tives to  create  criteria  for  designing  equip- 
ment, defining  intersystem  interfaces,  defin- 
ing facilities,  and  determining  requirements 
for  personnel,  training,  training  equipment, 
and  procedures. 

Step  3 consists  of  system  design  studies 
that  are  performed  concurrently  with  Steps  2 
and  4 to: 

(1)  Determine  alternate  functions  and 
functional  sequences. 

(2)  Establish  design,  personnel,  training, 
and  procedural  data  requirements  imposed  by 
the  functions 

(3)  Find  the  best  way  to  satisfy  the  mis- 
sion requirements 

(4)  Select  the  best  design  approach  for 
integrating  mission  requirements  into  the  act- 
ual  hardware  and  related  support  activities. 

Normally,  the  studies  in  Step  3 involve  trade- 
offs where  data  are  in  the  form  of  schematic 
block  diagrams,  outline  drawings,  intersystem 
and  intrasystem  interface  requirements,  com- 
parative matrices,  and  data  supporting  the 
selection  of  each  approach.  Some  of  the  scien- 
tific tools  used  in  the  system  design  studies  in 
Step  3 are:  probability  theory,  statistical 
inference,  simulation,  computer  analysis, 
information  theory,  queuing  theory,  servo- 
mechanism theory,  cybernetics,  mathematics, 
chemistry,  and  physics. 
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FIGURE  1-1.  System  Management  Activities 
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FIGURE  1-2.  Fundamental  System  Engineering  Process  Cycle 


Step  4 uses  the  design  approach  selected 
in  Step  3 to  integrate  the  design  requirements 
from  Step  2 into  the  Contract  End  Items 
(CEI’s).  The  result  of  Step  4 provides  the  cri- 
teria for  detailed  design,  development,  and 
test  of  the  CEI  based  upon  defined  engineer- 
ing information  and  associated  tolerances. 
Outputs  from  Step  4 are  used  to: 

(1)  Determine  intersystem  interfaces 

(2)  Formulate  additional  requirements 
and  functions  that  evolve  frem  the  selected 
devices  or  techniques 

(3)  Prov  ide  feedback  to  modify  car  verify 
the  system  requirements  and  functional  flew 
diagrams  prepared  in  Step  1 . 

When  the  first  cycle  of  the  system  engi- 
neering process  is  completed,  the  modifica- 
tions, alternatives,  imposed  constraints,  addi- 
tional requirements,  and  technological  prob- 
lems that  have  been  identified  are  recycled 
through  the  process  with  the  original  hypoth- 
esis (initial  design)  to  make  the  design  more 
practical.  This  cycling  is  continued  until  a 
satisfactory  design  is  produced,  or  until  avail- 
able resources  (time,  money,  etc.)  are  expend- 
ed and  the  existing  design  is  accepted,  or  until 
the  objectives  arc  found  to  be  unattainable. 
1-4  - 


Other  factors  that  arc  part  of  thesystem 
engineering  process-such  as  reliability,  main- 
tainability, safety,  and  human  factors— exist 
as  separate  but  interacting  engineering  disci- 
plines and  provide  specific  inputs  to  each 
other  and  to  the  overall  system  program.  Per- 
tinent questions  at  this  point  might  be:  "How 
do  we  know  when  the  design  is  adequate?”  or 
"How  is  the  effectiv  eness  of  a system  meas- 
ured?” The  answers  to  these  questions  lead  to 
the  concept  of  system  effectiveness. 

1-3  SYSTEM  EFFECTIVENESS 

System  effectiveness  is  defined  (Ref.  3, 
Version  B)  as:  “a  measure  of  the  degree  to 
which  an  item  can  be  expected  to  achieve  a 
set  of  specific  mission  requirements,  and 
which  may  be  expressed  as  a function  of  avail- 
ability, dependability,  and  capability”.  Cost 
and  time  are  also  critical  in  the  evaluation  of 
the  merits  of  a system  or  its  components  and 
must  eventually  be  included  in  making  admin- 
istrative decisions  regarding  the  purchase,  use, 
maintenance,  or  discard  of  any  equipment. 

The  effectiveness  of  a system  obviously  is 
influenced  by  the  way  the  equipment  was 
designed  and  built,  it  is.  however,  just  as 
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influenced  by  the  way  the  equipment  is  used 
and  maintained;  i.e.,  system  effectiveness  is 
influenced  by  the  designer,  production  engi- 
neer, maintenance  man,  and  user/operator. 
The  concepts  of  availability,  dependability, 
and  capability  included  in  the  definition  of 
system  effectiveness  illustrate  these  influences 
and  their  relationships  to  system  effective- 
ness. MIL-STD-721  (Ref.  3,  Version  B)  pro- 
vides the  following  definitions  of  these  con- 
cepts: 

(1)  Availability.  A measure  of  the  degree 
to  which  an  item  is  in  an  operable  and  com- 
mittable  state  at  the  start  of  a mission,  when 
the  mission  is  called  for  at  an  unknown 
(randomj  point  in  time. 

(2)  Dependability.  A measure  of  the 

item  operating  condition  at  one  or  more 
points  during  the  mission,  including  the 
effects  of  reliability,  maintainability,  and  sur- 
vivability7, given  the  item  condition(s)  at  the 
start  of  the  mission.  It  may  be  stated  as  the 
probability7  that  an  item  will:  (a)  enter  or 

occupy  any  one  of  its  required  operational 
modes  during  a specified  mission,  and  (b)  per- 
form the  functions  associated  with  these 
operational  modes. 

(3)  Capability.  A measure  of  the  ability 
of  an  item  to  achieve  mission  objectives,  given 
the  conditions  during  the  mission. 

Dependability  is  related  to  reliability;  the 
intention  was  that  dependability  would  be  a 
more  general  concept  than  reliability.  No 
designer  should  become  bogged  down  in 
semantic  discussions  when  intent  is  clear. 

As  an  example,  consider  the  use  of 
machine  guns  against  attacking  aircraft.  Since 
the  design  intent  was  to  provide  increased 
firepower  and  area  coverage  for  ground  sup- 
port combat,  the  effectiveness  of  this  "sys- 
tem" (machine  gun)  will  be  very  low7.  The 
machine  gun  does  not  have  an  intended  capa- 
bility for  antiaircraft  use.  This  fact,  however, 
has  little  to  do  with  the  availability  or  de- 
pendability of  the  machine  gun.  That  parti- 
cular application  by  the  user/operator  is 
simply  a misuse.  As  another  example  (adapted 
from  Ref.  4,  par.  2.7.3),  consider  a previously 
serviceable  vehicle  tire  that  has  a blowout  at 
90  mph  on  a hot  day  (110"F)  due  to  impact 
with  a jagged  hole  in  the  pavement.  If  most 


tires  of  this  type  survive  high-speed,  high- 
temperature  operation  under  high  impact 
loads,  then  the  blowout  (failure)  is  due  to 
lack  c£  reliability,  since  such  severe  environ- 
ments (90  mph,  110°  F,  jagged  hole)  are  with- 
in the  capability  of  the  tire  type.  If,  however, 
the  design  requirements  specified  less  severe 
environments  (60  mph,  80°  F,  no  jagged 
holes),  then  the  failure  was  due  to  a lack  of 
capability.  Thus,  in  the  first  case,  the  system 
(tire)  had  adequate  capability,  but  its  reliabil- 
ity vas  low.  In  the  second  case,  the  reliability 
may  have  been  high,  but  the  capability  (for 
that  particular  usage)  was  inadequate.  In  both 
cases,  however,  the  system  effectiveness  for 
the  applied  usage  was  low. 

The  optimization  of  system  effectiveness 
is  important  throughout  the  system  life  cycle, 
frcm  concept  through  the  operation.  Optimi- 
zation is  the  balancing  of  available  resources 
(time,  money,  personnel,  etc.)  against  result- 
ing effectiveness,  until  a combination  is  found 
that  provides  the  most  effectiveness  for  the 
desired  expenditure  of  resources.  Thus,  the 
optimum  system  might  be  one  that: 

(1)  Meets  or  exceeds  a particular  level  of 
effectiveness  for  minimum  cost,  and/or 

(2)  Provides  a maximum  effectiveness 
for  a given  total  cost. 

Optimization  is  illustrated  by  the  flow  dia- 
gram of  Fig.  1-3  which  shows  the  optimiza- 
tion process  as  a feedback  loop  consisting  of 
the  following  three  steps: 

(1)  Designing  many  systems  that  satisfy 
the  operational  requirements  and  constraints. 

(2)  Computing  resultant  values  for 
effectiveness  and  resources  used 

(3)  Evaluating  these  results  and  making 
generalizations  concerning  appropriate  combi- 
nations of  design  and  support  factors,  which 
are  then  fed  back  into  the  model  through  the 
feedback  loops. 

Optimization  also  can  be  illustrated  by 
the  purchase  of  a new  car,  or  more  specifi- 
cally, of  putting  into  precise,  quantifiable 
terms  the  rules  or  criteria  that  will  be  follow- 
ed in  the  automobile  selection  process-  Al- 
though automobiles  do  have  quantifiable 
characteristics,  such  as  horsepower,  cost,  and 
seating  capacity,  they  are  basically  similar  in 
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FIGURE  1-3.  Flow  Diagram  for  a General  Optimization  Process 
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most  cars  of  a particular  class  (low-price 
sedans,  sports  models,  etc.)-  Thus,  the  selec- 
tion criteria  essentially  reduce  to  esthetic 
appeal,  prior  experience  with  particular 
models,  and  similar  intangibles.  In  the  same 
sense,  the  choice  of  best  design  for  the  weap- 
on system  is  greatly  influenced  by  experience 
with  good  engineering  practices,  knowledge 
assimilated  from  similar  systems,  and  econom- 
ics. Despite  this  fuzziness,  the  selection  cri- 
teria must  be  adjusted  so  that: 

(1) The  problem  size  can  be  reduced  to 
ease  the  choice  of  approaches 

(2)  All  possible  alternatives  can  be  exam- 
ined more  readily  and  objectively  for  adapta- 
tion to  mathematical  representation  and 
analysis 

(3)  Ideas  and  experiences  from  other  dis- 
ciplines can  be  more  easily  incorporated  into 
the  solution 

(4)  The  final  choice  of  design  approach- 
es can  be  based  on  more  precise,  quantifiable 
terms,  permitting  more  effective  review  and 
revision,  and  better  inputs  for  future  opti- 
mization problems. 

The  choice  of  parameters  in  the  optimization 
model  also  is  influenced  by  system  definition. 
The  automobile  purchaser,  for  example,  may 
not  consider  the  manufacturer’s  and  dealer’s 
service  policies.  If  these  policies  are  consider- 
ed, the  system  becomes  the  automobile  plus 
the  service  policies.  If  service  policies  are  not 
considered,  the  system  consists  only  of  the 
autcmobile. 

The  actual  techniques  used  to  optimize 
system  effectiveness  are  beyond  the  scope  of 
this  chapter.  Table  1-1  (Ref.  4),  for  example, 
lists  only  some  of  the  more  commonly  used 
techniques.  Specific  details  are  contained  in 
the  references  already  mentioned  and  in  Ref. 
26.  Ref.  4,  for  example,  contains  methods 
and  examples  of  basic  mathematical  and  sta- 
tistical concepts,  simulation,  queuing  theory7, 
sequencing  and  Markov  processes,  game 
theory,  linear  and  dynamic  programming, 
information  theory,  and  others.  These  tech- 
niques are  not  peculiar  to  system  effectiveness 
optimization  nor  are  they  limited  to  system 
engineering. 


TABLE  1-1. 

PARTIAL  LIST  OF  OPTIMIZATION  TECHNIQUES4 


I.  Mathematical  Techniques 

Birth  and  death  processes 
Calculus  of  finite  differences 
Calculus  of  variations 
Gradient  theory 
Numerical  approximation 
Symbolic  logic 
Theory  of  linear  integrals 
Theory  of  maxima  and  minima 


II.  Statistical  Techniques 

Bayesian  analysis 
Decision  theory 
Experimental  design 
Information  theory 
Method  of  steepest  ascent 
Stochastic  processes 


III  Programming  Techniques 

Dynamic  programming 
Linear  programming 
Nonlinear  programming 


IV.  Other 

Gaming  theory 
Monte  Carlo  techniques 
Queuing  theory 
Renewal  theory 
Search  theory 
Signal  flow  graphs 
Simulation 
Value  theory 


1-4  THE  ROLE  OF  RELIABILITY 

The  reliability  effort  includes  not  only 
the  hardware  but  also  the  actions,  procedures, 
software,  and  qperatars  that  use  the  hard- 
ware, The  reliability  depends  on  the  reliability 
requirements,  the  testing,  and  the  emphasis 
placed  on  reliability  by  management  (both 
Government  and  contractor)  throughout  the 
life  cycle  cf  the  equipment.  Often,  as  dead- 
lines approach,  something  must  be  sacrificed 
(cost,  schedule,  performance,  relMality)  ; 
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management  decides  what  it  will  be;  e.g.,  will 
management  decide  that  a paper  “demonstra- 
tion" be  substituted  for  a physical  demonstra- 
tion cf 

It  is  much  easier  to  talk  about  optimizing 
reliability  and  to  analyze  ways  of  doing  it 
than  it  is  to  get  a physical  system  which  is 
optimized.  Achieving  high  reliability  is  an 
engineering  problem,  not  a statistical  one. 

Before  reliability  can  be  optimized,  one 
needs  to  look  at  ways  reliability  can  be  chang- 
ed and  the  kinds  of  constraints  that  can  be 
imposed  upon  efforts  to  change  it.  These  clas- 
sifications are  convenient  for  discussion.  They 
do  not  in  themselves  limit  anyone’s  activities. 
Not  all  changes  which  are  made  with  the  in- 
tention of  improving  reliability  actually  do 
improve  it— especially  when  there  is  insuffi- 
cient information  about  the  mission. 

Reliability  can  be  modified  by  changing: 

(1)  The  overall  approach  to  the  problem 
(e.g.,  wire  lines  or  a microwave  link  for  a com- 
munication system) 

(2)  The  configuration  of  the  system 
(e.g.,  an  aircraft  can  have  propeller  or  jet 
engines,  wings  over  or  under  the  fuselage,  and 
the  mounting  and  number  of  engines  are 
adj  ustable) 

(3)  Some  of  the  modules  or  subsystems 
(e.g.,  motor  functions  can  be  performed  elec- 
trically, hydraulically,  or  by  mechanical  levers 
and  gears) 

(4)  S ome  components  (e.g.,  use  high 
reliability  parts  or  commercial  ones) 

(5)  Details  of  manufacture  (e.g.,  holes  in 
steel  can  be  punched,  drilled,  reamed,  and/or 
burned) 

(6)  Materials  (e.g.,  wood,  plastics,  metal 
alloys) 

(7)  Method  of  operation  (e.g.,  the  opera- 
tor of  a radio-receiver  can  be  required  to  tune 
each  stage  separately  cr  it  can  all  be  done 
with  one  switch) 

(8)  Definition  of  mission  success  (e.g., 
range  and  resolution  of  a radar) 

(9)  Amount  of  attention  to  detail  (e.g., 
an  alloy  can  simply  be  selected  from  a hand- 
book table,  or  many  tests  can  be  run  on  many 
alloys  to  find  the  one  which  holds  up  best  in 
service). 


Efforts  to  improve  reliability  are  con- 
strained by: 

(1)  Cost  of  design  effort 

(2)  Cost  of  parts  manufacture 

(3)  Calendar  time  schedules 

(4)  Manpower  available  to  do  the  job 

(5)  Availability  of  purchased  compo- 
nents or  materials 

(6)  Volume  or  weigpR  of  finished  prod- 
uct 

(7)  Operator  training  limitations 

(8)  Uncertainty  about  actual  use  condi- 
tions 

(9)  Maintenance  philosophy,  and  logis- 
tics 

(10)  Logical  consequences  of  various 
user  regulations 

(ID  User  resistance  to  some  configura- 
tions 

(12)  Management  refusal  to  effect  ad- 
ministrative changes 

(13)  Lack  of  knowledge  about  material 
or  component  properties  or  about  the  way  a 
part  will  be  made. 

Other  techniques  and  constraints  are  like- 
ly to  be  important  in  any  particular  job.  Some 
of  the  changes  and  constraints  are  not  easily 
quantifiable,  and  the  ones  listed  are  certainly 
not  mutually  exclusive.  All  of  this  makes  a 
complete  mathematical  analysis  virtually 
impossible. 

It  is  worthwhile  to  have  many  of  the  crit- 
ical failure  modes  such  that  the  equipment 
fails  gracefully;  viz.,  there  is  a very  degraded 
mode  of  operation  which  is  still  feasible  after 
the  major  failure.  For  example,  if  the  power 
steering  on  a vehicle  fails,  it  may  still  be 
possible  for  it  to  limp  to  safety  if  thevehicle 
can  be  steered  by  hand. 

The  repair  philosophy  during  a mission 
must  be  stated  explicitly-  Standby  redun- 
dancy often  can  be  considered  a special  case 
of  repair — it  is  just  a question  of  how  the 
changeover  is  effected  in  case  of  failure.  In 
some  situations,  the  mission  will  not  be  a fail- 
ure if  the  equipment  is  down  for  only  a very 
short  time.  In  what  state  will  a repair  leave 
the  system'!  Is  the  entire  system  to  be 
restored  to  a like-now  condition  after  each 
failure?  Will  only  a subsystem  be  restored  to 
like-new  or  perhaps  the  equipment  will  be 
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returned  to  the  statistical  condition  it  had  just 
before  failure?  In  general,  the  exact  situation 
will  not  be  known,  and  it  is  a matter  of  engi- 
neering judgment  to  pick  tractable  assump- 
tions that  are  reasonably  realistic. 

The  design  approaches  and  requirements 
are  investigated  by  the  system  reliability  engi- 
neer. They  include  the  following: 

(1) The  definitions  of  (a)  the  mission,  (b) 
successful  completion,  and  (c)  proper  condi- 
tion (at  mission  beginning)  must  be  sufficient- 
ly explicit  to  make  the  reliability  calculations. 

(2)  Relationships  and  interactions  be- 
tween reliability  and  each  of  the  other  system 
parameters  (maintainability,  etc.)  must  be 
carefully  analyzed. 

(3)  A method  of  estimating  reliability 
must  be  selected  to  permit  quantitative  de- 
scription of  the  consequences  of  each  design. 

(4)  Reliability  objectives  must  be  match- 
ed to  the  system  mission. 

(5)  System  reliability  levels  must  be  re- 
lated to  overall  program  resource  allocations. 

These  and  others  are  discussed  in  this  hand- 
book and  Parts  Three,  Four,  and  Five. 

The  techniques  used  in  this  analysis 
include  development  of  a model  that  con- 
siders: 

(1)  Required  functions  for  each  mission 

phase 

(2)  Identification  of  critical  time  periods 
for  each  function 

(3)  Establishment  of  external  and  inter- 
nal environmental  stresses  for  each  functional 
element 

(4)  Operational  and  maintenance 
concepts 

(5)  Hardware  and  software  system  ele- 
ments for  each  function 

(6)  Determination  of  any  required  func- 
tional redundancies. 

Specific  design  techniques,  such  as  stress  de- 
rating, redundancy,  stressj  strength  analysis, 
apportionment  of  reliability  requirements, 
prediction,  design  of  experiments  and  tests, 
parameter  variation  analysis,  failure  mode  and 
effect  analysis,  and  worst  case  analysis,  are 
the  "tools  c£  the  trade”  for  reliability  engi- 
neers. Additionally,  the  reliability  engineer 
must: 


(1)  Actively  participate  in  selecting  pre- 
ferred parts  having  established  reliabilities, 
and  thus  promote  standardization  within  mili- 
tary svstem. 

(2)  Participate  in  design  reviews  at 
appropriate  stages  ’to  evaluate  reliability 
objectives  and  achievement  thereof. 

(3)  M onitor  attainment  of  reliability 
requirements  throughout  the  entire  program. 

(4)  Work  with  other  members  of  the 
system  engineering  “"team  to  integrate  reli- 
ability with  other  engineering  areas. 

Thus,  the  reliability  engineer  performs  system 
engineering  fron  the  reliability  viewpoint. 
These  methods  and  techniques  are  discussed 
in  greater  detail  in  later  chapters  and  other 
Parts.  Additional  information  is  provided  in 
the  references  at  the  end  of  this  chapter;  e.g., 
MIL-STD-785  (Ref.  l)specifies  the  require- 
ments for  system  reliability'  programs,  MIL 
STD-721  (Ref.  3)  defines  terms  for  reliability 
and  related  disciplines,  and  AR  702-3  (Ref.  5) 
establishes  Army  requirements  for  reliability 
and  maintainability'. 

1-5  THE  ROLE  OF  MAINTAINABILITY 

Maintainability'  is  a characteristic  of  de- 
sign and  installation  of  equipment.  s-Maintain- 
ability  is  defined  (Ref.  3)  as  the  probability' 
that  an  item  will  be  retained  in  a specified 
condition,  or  restored  to  that  condition  with- 
in a given  time  period,  when  maintenance  is 
performed  according  to  prescribed  procedures 
and  resources.  Maintenance  consists  of  those 
actions  needed  to  retain  the  designed-in  char- 
acteristics throughout  the  ^sten  lifetime. 
Maintainability,  like  reliability,  must  be  de- 
signed into  the  equipment. 

Maintainability  engineering  is  similar  to 
other  engineering  practices,  but  it  emphasizes 
recovery  of  the  equipment  after  a failure  and 
reductions  in  upkeep  costs.  Maintainability 
engineers  consider  the  purpose,  ty  pe,  use,  and 
limitations  of  the  product,  all  of  which  influ- 
ence the  ease,  rapidity,  economy,  accuracy  of 
its  service  and  repair,  effects  of  installation, 
environment,  support  equipment,  personnel, 
and  operational  policies  on  the  item  geom- 
etry, size,  and  weight.  Thus,  maintainability 
studies  assist  in  the  development  of  a product 
which  can  be  maintained  by  personnel  of 
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ordinary  skill  under  the  environmental  condi- 
tions in  which  it  will  operate. 

1-5.1  RELATIONSHIP  TO  RELIABILITY 

Reliability  is  related  to  the  effectiveness 
of  the  maintenance  perfoxmed  on  a system.  If 
this  maintenance  is  incorrect  or  not  timely, 
the  system  may  fail.  Maintainability,  on  the 
other  hand,  can  provide  designed-in  ease  of 
maintenance  and,  thereby,  increase  the  main- 
tenance effectiveness. 

Fran  a system  effectiveness  viewpoint, 
reliability  and  maintainability' jointly  provide 
system  availability  and  dependability.  Increas- 
ed naiid-ril-ity  directly  contributes  to  system 
uptime,  while  improved  maintainability  re- 
duces downtime.  If  rplvhility  and  maintain- 
ability are  not  jointly  considered  and  con- 
tiiually  reviewed,  as  required  by  Ref.  5,  then 
serious  consequences  may  result.  With  mili- 
tary equipment,  failures  or  excessive  down- 
time can  jeopardize  a mission  and  possibly 
cause  a loss  of  lives.  Excessive  repair  time  and 
failures  also  impose  burdens  on  logistic  sup- 
port and  maintenance  activities,  causing  high 
costs  for  repair  parts  and  personnel  training, 
expenditure  of  many  man-hours  for  actual 
repair  and  service,  obligation  cf  facilities  and 
equipment  to  test  and  service,  and  to  move- 
ment and  storage  cf  repair  parts. 

From  the  cost  viewpoint,  reliability  and 
maintainability  must  be  evaluated  over  the 
^stan  life  cycle,  rather  then  merely  from  the 
standpoint  cf  initial  acquisition.  The  overall 
cost  of  ownership  has  been  estimated  to  be 
from  three  to  twenty  times  the  original  acqui- 
sition cost.  An  effective  design  approach  to 
reliability  and  maintainability  can  reduce  this 
cost  of  upkeep. 

The  reliability  and  maintainability  char- 
acteristics of  an  item  are  relatively  fixed  and 
difficult  to  change  in  the  field.  Thus,  the  sol- 
dier/user finds  himself  faced  with  accepting 
the  item  reliability  as  a determination  cf 
whether  the  item’  will  function  correctly  or 
not;  as  long  as  it  functions,  he  can  use  it. 
Consequently,  reliability  data  do  not  greatly 
concern  him  (Ref,  7).  Maintainability,  on  the 
other  hand,  prov  ides  the  soldier/user  with  his 
only  means  cf  returning  the  equipment  to  a 
serviceable  condition,  A tank,  for  example. 


that  has  a nonrepairable  weapon  system 
becomes,  on  breakdown  of  the  weapon,  an 
immensely  heavy  mobile  radio  from  the  view- 
point cf  its  users. 

The  primary  objectives  of  the  Army  reli- 
ability , availability,  and  maintainability 
(RAM)  programs  are  to  assure  that  Army 
materiel  will: 

(1)  Be  ready  for  use  When  needed 

(2)  Be  capable  of  successfully  complet- 
ing its  mission  and 

(3)  HjLElU  all  required  maintenance  ob- 
jectives throughout  its  life  cycle. 

Ref.  8 provides  guidance  on  management  of 
reliability7  and  maintainability  programs,  and 
Ref.  5 delineates  concepts,  objectives,  respon- 
sibilities, and  general  policies  for  Army  reli- 
ability7 and  maintainability  programs. 

Policies  and  guidance  on  life  cycles  of 
Army  equipment  are  provided  by  Refs.  6 and 
9.  Amplification  of  Army  reliability  and 
maintainability7  policies  can  be  found  in  the 
references  at  the  end  of  this  chapter.  Fig.  1-4 
illustrates  some  of  the  fundamental  relation- 
ships between  reliability  and  maintainability. 

1-5.2  DESIGN  GUIDELINES 

System  maintainability  goals  must  be 
apportioned  among  three  major  categories: 
(1)  equipment  design,  (2)  personnel,  and  (3) 
support.  To  accomplish  this,  a maintenance 
concept  must  be  selected,  and  a mathematical 
model  developed  to  describe  the  concept. 
Initially,  the  goals  can  be  apportioned  based 
upon  past  experience  with  similar  systems, 
and  upon  general  guidelines  presented  here 
and  in  the  references  for  this  chapter.  As  the 
design  progresses,  the  initial  apportionment 
can  be  changed  by  trade-offs  among  these 
three  categories.  The  design  goals  can  be  fur- 
ther apportioned  to  the  subsystem  and  com- 
ponent levels.  Allocating  maintainability  for 
subsystems  and  components  of  a complex 
system  can  be  difficult  due  to  the  mathemati- 
cal/statistical complexity  of  the  model.  Some 
of  the  problems  associated  with  combining  or 
apportioning  downtime  and  suggested  ap- 
proaches to  their  solution  are  covered  in  Refs. 
7,  10,11,  and  12. 

The  design  category  covers  the  physical 
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aspects  of  the  equipment,  including  the  re- 
quirements for  test  equipment,  tools  repair 
parts,  training,  and  maintenance  skill  levels. 
Equipment  design,  packaging,  test  points, 
accessibility,  and  other  factors  directly  in- 
fluence these  requirements.  The  personnel 
category  considers  the  actual  skill  levels  cf  the 
maintenance  technicians,  their  job  attitudes 
and  motivations,  experience,  technical  knowl- 
edge, and  other  personnel  characteristics 
associated  with  equipment  maintenance.  The 
support  category  encompasses  the  logistic  and 
maintenance  organizations  associated  with 
system  support.  Some  of  the  areas  included  in 
support  are:  tools,  test  equipment,  and  repair 
parts  stocked  at  specific  locations;  the  avail- 
ability of  equipment  technical  publications; 
supply  problems  characteristic  of,  or  peculiar 
to,  particular  maintenance  sites;  allocation  of 
authorized  maintenance  levels;  and  establish- 
ment of  maintenance  organizational  struc- 
tures. 

Some  guidelines  for  engineers  designing 
and  developing  Army  equipment  are: 


(1)  Reduce  maintenance  needs  by 
designing  reliability  into  equipment  to  insure 
desired  performance  over  the  intended  life 
cycle. 

(2)  Use  reliability  improvements  to  save 
time  and  manpower.  ,by  reducing  preventive 
maintenance  requirements  and,  thereby,  pro- 
vide more  operational  time  for  components. 

(3)  Reduce  downtime  by  improving 
maintainability  through  simplification  of  test 
and  repair  procedures  to  reduce  trouble- 
shooting and  correction  time;  for  example, 
provide  easy  access  and  simple  adjustments. 

(4)  Decrease  the  logistic  burden  (particu- 
larly in  combat  areas)  by  using  standard  parts, 
tools,  test  equipment,  and  components,  and 
by  planning  for  interchangeability'  of  parts, 
components,  and  assemblies. 

(5)  Simplify  equipment  operation  and 
maintenance  requiranaats  so  that  highly 
trained  maintenance  specialists  will  not  be 
needed. 
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1-5.3  PREDICTION 

M-~l±te=py  specifications  and  contractual 
requirements  incorporate  maintenance  time 
restxk±icris  that  must  be  met  by  the  designer. 
Thus,  predictions  are  needed  to  establish  how 
close  the  equipment  will  be  to  these  require- 
ments during  its  development  cycle  and  in  its 
end-use  phase.  Similarly,  a prediction  of  how 
long  an  item  will  be  inoperative  during  main- 
tenance is  important  to  the  user,  because  the 
user  is  deprived  of  the  equipment  contribu- 
tion to  his  inissicn  performance.  This  predic- 
tion must  be  quantitative  and  be  capable  of 
being  updated  as  the  item  progresses  through 
successive  development  phases.  Two  advan- 
tages of  predicting  maintainability  are  that: 

(1)  It  identifies  areas  of  poor  maintain- 
ability which  must  be  improved. 

(2)  An  early  assessment  can  be  made  of 
the  adequacy  of  predicted  downtime,  quality 
and  quantity'  of  maintenance  and  support  per- 
sonnel, and  tools  and  test  equipment. 

Most  maintainability  prediction  methods 
use  recorded  reliability  and  maintainability' 
experience  obtained  from  comparable  systems 
and  components  under  similar  conditions  of 
use  and  operation.  Thus,  it  is  common  to 
assume  that  the  principle-of-transferability  is 
applicable.  Basically,  this  principle  is  that  data 
from  a system  can  be  transferred  and  used  to 
predict  the  maintainability  of  a comparable 
system  that  is  in  the  design,  development,  or 
evaluation  phase.  Obviously,  this  approach 
depends  upon  establishing  some  commonality' 
between  systems.  Usually  this  commonality' 
can  be  inferred  on  a broad  basis  during  the 
early  design  phase;  but  as  the  design  is  refin- 
ed, the  commonality  must  be  established 
more  exactly  for  equipment  functions,  main- 
tenance task  times,  and  levels  of  maintenance.. 

The  data  used  in  maintainability  predic- 
tions depend  on  specific  applications,  but,  in 
general,  prediction  methods  use  at  least  the 
following  two  parameters : 

(1)  Failure  rates  of  components  at  the 
specific  level  of  interest 

(2)  The  amount  of  repair  time  required 
at  each  maintenance  level- 


Repair  times  are  obtained  from  prior 
experience,  simulation  of  repair  tasks,  or 
data  from  similar  applications  on  other 
systems.  Component  failure  rates,  however, 
have  been  recorded  by  many  sources  as  a 
function  of  use  and  environment.  Some  of 
these  sources  are  listed  in  Refs.  13-17 , and 
in  Appendix  B.  Actual  prediction  techniques 
are  covered  in  detail  in  Ifefis.  7,  10,  11,  and 
12. 

1-5.4  DESIGN  REVIEW 

The  design  review  process  originally  was 
established  to  achieve  reliability  objectives, 
but  has  since  been  extended  to  include  all 
system  characteristics  throughout  the  life 
cycle  (see  Chap.  1 1). Maintainability  specifi- 
cations require  that  a formal  design  review 
program  be  established  and  documented  for 
each  development. 

A design  review  involves  four  major 
tasks:  (l)assembling  data,  (2)  actual  review, 
(3)  documentation,  and  (4)  followup.  For 
maintainability,  the  first  task  (assembling 
data)  includes  engineering  drawings:  mock- 
ups,  breadboard  assemblies,  or  prototypes; 
maintainability  prediction  data;  maintain- 
ability' test  data;  and  a description  of  the 
maintenance  concept. 

The  review  ought  to  be  performed  by 
people  familiar  with  maintainability  theory', 
maintenance  processes,  and  human  factors. 
The  quantitative  review  techniques  use  predic- 
tion data  to  identify  areas  needing  improve- 
ment, and  the  qualitative  techniques  use  the 
experience  and  knowledge  of  the  review 
board  members,  plus  available  reference 
material.  The  review  ought  to  impartially 
analyze  a design,  isolate  real  or  potential 
maintainability'  difficulties,  propose  solutions, 
and  document  the  proceedings  so  that  the 
designer  can  incorporate  any  needed  changes. 
Thus,  the  designer  benefits  from  the  experi- 
ence of  other  technical  disciplines,  and  the 
equipment  is  improved.  Design  review  meet- 
ings must  be  held  at  each  stage  during  the 
equipment  development  to  exercise  control 
over  the  design,  and  to  allow  easier  incorpora- 
tion of  changes.  Further  discussion  of  reviews 
is  in  Chapter  1 1. 
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1-5.5  AVAILABILITY 

Maintainability  trade-off  techniques  are 
used  by  designers  to  weigh  the  potential 
advantages  of  a maintainability  design  change 
against  possible  disadvantages.  If  mission 
requirements  allow  it,  trade-offs  can  be  made 
between  maintainability  and  other  param- 
eters, such  as  reliability,  or  among  the  three 
categories  of  maintainability  equipment— i.e., 
design,  personnel,  and  support. 

Availability  is  one  of  the  important  char- 
acteristics of  equipment  and  systems.  Gen- 
erally speaking,  s-availability  is  said  to  be  the 
probability  that,  at  any  instant,  an  item  is  in 
proper  condition  to  begin  a mission  (see  the 
second  definition  of  s-reliability  in  par.  1-1). 
There  are  many  variations  for  an  exact  defini- 
tion (see  Ref.  10);  they  usually  explicitly 
state  what  kinds  of  downtime  are  to  be  ex- 
cluded or  included  in  the  calculation.  Ref.  10 
ought  to  be  consulted  for  formal  definitions 
of  s-availability;  for  the  purposes  of  this  para- 
graph s-availability  will  be  taken  as 

A = 1 /[  1 + ( MTTR  I MTBF )]  (l-i) 

where 

A=  availability  calculated  without 

considering  downtime  for  sched- 
uled or  preventive  maintenance, 
or  logistic  support.  Ready  time, 
supply  downtime,  waiting  or 
administrative  downtime,  and 
preventive  maintenance  down- 
time are  all  excluded  (see  Ref.  10 
for  definitions). 

MTBF  = Mean  Time  Between  Failures, 

ignoring  downtime. 

MTTR  = Mean  Time  To  Repair,  viz.,  the 
average  time  required  to  detect 
and  isolate  a malfunction,  make 
repairs,  and  restore  the  system  to 
satisfactory'  performance  (see  the 
definition  of  A for  other  con- 
ditions)- 

s-Availability  can  be  improved  by  reduc- 
ing MTTR  and  by  increasing  MTBF.  Either 
MTTR  = 0 or  MTBF  -*■  00  would  provide  per- 
fect s-availability  but,  of  course,  neither  is 
possible. 

As  examples,  consider  systems  I and  II 

with 


MTTR,  =0.1  hr 
MTBF , = 2 hr 
MTTR,,  =10  hr 
MTBF , , = 200  hr 

Then  the  s-availability  'is 

A,  ~ 1/[1  + (0.1/2)]  = 0.952  (l-2a) 

Au  = 1/[1  + (10/200)]  = 0.952  (l-2b) 

Both  systems  have  the  same  s-availability,  but 
they  are  not  equally  desirable.  A 10-hr  MTTR 
might  be  too  long  for  some  systems  whereas  a 
2-hr  MTBF  might  be  too  short  for  some  sys- 
tems. 

Even  though  reliability  and  maintain- 
ability individually  can  be  increased  or 
decreased  in  combinations  giving  the  same 
system  availability',  care  must  be  taken  to 
insure  that  reliability  does  not  fall  below  its 
specified  minimum,  or  that  individually 
acceptable  values  of  reliability  and  maintain- 
ability are  not  combined  to  produce  an 
unacceptable  level  of  system  availability'. 

Other  trade-off  techniques  involve: 

(1)  Increasing  system  availability  by 
improving  maintainability'  through  trade-offs 
between  design  and  support  parameters,  for 
example,  by  using  sophisticated  maintenance 
equipment  to  reduce  maintainability'  require- 
ments. This  method,  however,  may  increase 
overall  program  costs. 

(2)  Comparing  costs  versus  availability 
for  a basic  system,  a redundant  system,  a 
basic  system  plus  sophisticated  support  equip- 
ment, etc.,  to  determine  which  approach  pro- 
vides the  highest  availability'  for  the  least  cost. 

(3)  Extending  system-level  techniques  to 
subsystem  or  component  levels  and  then 
working  upward  to  the  overall  system  level. 

Refs.  7,  10,  11,  and  others  at  the  end  of 
this  chapter  provide  additional  discussions  of 
trade-off  techniques. 

1-6  THE  ROLE  OF  SAFETY 

A safety  program,  one  of  the  basic  ele- 
ments of  the  system  engineering  effort,  has 
the  following  objectives: 
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(1)  Systran  design  must  include  a level  of 
safety  consistent  with  mission  requirements. 

(2)  Hazards  associated  with  each  system, 
subsystem,  and  equipment  must  be  identified, 
evaluated,  and  eliminated  or  controlled  to  an 
acceptable  level. 

(3)  Hazards  tha:  cannot  be  eliminated 
must  be  controlled  to  protect  personnel, 
equipment,  and  property. 

(4)  Minimum  risk  levels  must  be  deter- 
mined and  applied  in  the  acceptance  and  use 
of  new  materials,  and  new  production  and 
testing  techniques. 

(5)  Retrofit  actions  required  to  improve 
safety  must  be  minimized  by  conservative 
design  during  the  acquisition  of  a system, 

(6)  Historical  safety  data  generated  by 
similar  system  programs  must  be  considered 
and  used  where  appropriate  (Ref.  18). 

The  purpose  cf  safety  analysis  is  to  iden- 
tify hazards  and  minimize  or  eliminate  risks. 
Statistical  and  analy>  ic  techniques,  however, 
are  not  a replacement  for  common  sense. 
Sometimes,  establishment  of  an  acceptable 
risk  level  can  result  in  unnecessary'  hazarHc 
when  a change  with  a slight,  acceptable 
increase  in  cost  car  decrease  in  effectiveness 
would  eliminate  the  risk  entirely.  This  reason- 
ing is  particularly  pertinent  when  the  event, 
even  though  its  probability  of  Occurrence  is 
relatively  low,  might  cause  system  failure. 

1-6.1  RELATIONSHIPS  TO  RELIABILITY 

Safety,  like  reliability  and  other  system 
parameters,  can  be  expressed  as  a probability, 
as,  for  example,  the  probability  that  no 
unsafe  event  will  happen  under  specified 
operating  conditions  for  a given  time  period. 
Thus,  safety-analysis  techniques  closely  paral- 
lel and,  in  some  cases,  actually  use  methods 
commonly  associated  with  reliability.  The 
Failure  Mode  and  Effect  Analysis  (FMEA) 
and  Cause-Consequence  chart,  for  example, 
are  reliability  and  safety  tools.  They  are  dis- 
cussed in  detail  (n  Chapters  7 and  8.  In  gen- 
eral, safety  is  a specialized  form  of  reliability 
study.  This  does  not  imply,  however,  that 
safety  is  a subordinate  activity  or  derived  dis- 
cipline of  reliability,  but  only  that  the  activi- 
ties of  safety'  and  reliability  are  closely  relat- 
ed, both  in  concepts  and  in  techniques.  A 
system  that  is  unreliable,  for  example,  also 


may  be  unsafe,  because  system  failures  may 
cause  injuries  or  loss  of  life  of  operators  or 
users. 

People  are  a more  important  part  of  safe- 
ty than  of  reliability,  because  of  possible 
injury  to  users  or  bystanders  even  when  the 
mission  is  not  imperiled.  The  human  subsys- 
tem is  discussed  further  in  Chapter  6. 

Just  as  a reliability/maintainability  guide- 
line requires  that  components  that  are  diffi- 
cult to  maintain  should  be  made  more  reli- 
able, a reliability/safety  guideline  requires 
increased  reliability  of  components  that  are 
unsafe  to  repair  or  replace.  Some  additional 
safety  guidelines  and  techniques  are  discussed 
in  the  paragraphs  that  follow.  Their  relation- 
ships to  reliability  and  to  system  engineering 
produce  data  that  are  useful  to  these  other 
disciplines  and,  similarly,  allow  use  of  infor- 
mation generated  by  studies  performed  by 
other  technical  fields. 

1-6.2  SYSTEM  HAZARD  ANALYSIS 

As  shown  in  Fig.  1-1,  system  lifetime  is 
divided  into  five  phases:  (ljconcept  formula- 
tion, (2)  contract  definition,  (3)  engineering 
development,  (4)  production,  and  (5)  opera- 
tion. During  the  concept  formulation  phase,  a 
preliminary  hazard  analysis  identifies  poten- 
tial hazards  associated  with  each  design  and 
must  be  reviewed  and  revised  as  the  system 
progresses  through  subsequent  phases.  This 
analysis  is  qualitative  and  develops  safety'  cri- 
teria for  inclusion  in  the  performance  and 
design  specifications  formulated  in  Step  2 of 
the  system  engineering  process  (par.  1-2).  The 
preliminary'  hazard  analysis  also  must  consider 
solutions  to  safety  problems,  outline  inade- 
quately defined  conditions  for  additional 
study,  and  consider  specific  technical  risks  in 
the  proposed  design. 

The  subsystem  hazard  analysis  is  basically 
an  expansion  of  the  preliminary  hazard  analy- 
sis and  usually  occurs  in  the  contract  defini- 
tion phase.  Its  purpose  is  to  analyze  the  func- 
tional relationships  between  components  of 
each  subsystem  and  identify  potential  hazards 
due  to  component  malfunctions  or  failures. 
Thus,  the  subsystem  hazard  analysis  is  similar 
to  Step  3 of  the  system  engineering  process 
(par.  1 -2)  and.  in  fact,  provides  inputs  to  Step 


1-14 


AMCP  706-196 


3.  An  FMEA  and  Cause-Consequence  chart, 
adapted  to  the  safety  viewpoint,  are  included 
to  evaluate  individual  component  failures  and 
their  influences  on  safety  within  each  subsys- 
tem. 

The  contract  definition  phase  also  in- 
cludes the  system  hazard  analysis,  which  is 
basically  an  extension  of  the  subsystem  analy- 
sis in  that  the  system  hazard  analysis  treats 
safety  integration  and  subsystem  interfaces  on 
an  overall  svstem  basis.  Trade-off  and  inter- 
action studies  during  this  phase  must  inter- 
lock with  the  system  hazard  analysis  to  obtain 
maximum  system  effectiveness  and  balanced 
apportionment  among  the  various  contribu- 
ting disciplines  (safely7,  reliability,  etc.). 

The  operating  hazard  analysis  encompas- 
ses safety  requirements  for  personnel,  proce- 
dures, and  equipment  in  such  functional  areas 
as  installation,  maintenance,  support,  testing, 
storage,  transportation,  operation,  training, 
and  related  activities.  This  study,  like  the 
previous  offes,  must  be  continued  by  reviews 
and  revisions  throughout  the  system  life 
cycle,  and  involves  having  other  disciplines 
(reliability,  human  factors,  etc.)  work  with 
the  safety  engineers. 

Thus,  hazard  analysis,  through  a compre- 
hensive safety  program,  provides  many  useful 
inputs  to  the  system  engineering  process  and 
to  other  system  parameters.  These  inputs— if 
effectively  developed  and  intelligently  used- 
can  reduce  overall  program  costs,  contribute 
to  economical  scheduling,  and  make  the  task 
of  interaction  and  trade-off  studies  much 
easier,  since  safety  analysis  techniques  parallel 
or  duplicate  studies  in  reliability,  maintain- 
ability, human  factors,  and  other  system  dis- 
ciplines. 

1 6.3  TRADE-OFFS 

Some  trade-offs  have  been  mentioned 
previously.  The  increase  in  reliability  of  parts 
that  are  relatively  unsafe  to  repair  or  replace 
represents  one  such  consideration.  Trade-offs 
must  be  treated  in  the  initial  design  phases,  so 
that  changes  can  be  made  early  to  preclude 
later  problems  in  costs  and  scheduling  or  bare- 
ly adequate  fixes. 

The  selection  of  trade-off  alternatives 


basically  involves  an  analysis  cf  all  possible 
methods  to  improve  safety,  and  a determina- 
tion of  the  degree  to  which  each  method 
should  be  used.  The  analysis  involves  the 
investigation  of  safety  hazards  due  to  poor 
design,  assembly  errors,  incorrect  materials, 
improper  test  procedures,  inadequate  mainte- 
nance practices,  careless  handling  during 
transportation,  system  malfunctions  or  fail- 
ures that  create  unsafe  conditions,  and  similar 
sources.  Reliability  aja,d  maintainability  trade- 
offs, in  conjunction  with  safety'  analysis,  can 
reduce  such  hazards  by  use  of  standard  com- 
ponents having  proven  reliability;  ease  of 
maintenance;  and  familiarity  to  operator/ 
users,  maintenance  technicians,  and  produc- 
tion and  test  personnel.  Similarly,  reliability 
techniques  such  as  redundancy,  derating,  and 
stress/strength  analysis  can  be  used  to  provide 
higher  reliability  and  lower  the  probability  of 
unsafe  conditions.  Safety/maintainability  con- 
siderations, in  addition  to  standardizing  parts, 
can  improve  safety  by  reducing  or  eliminating 
hazards  during  maintenance  through  such 
methods  as  reducing  weight  and/or  size  to 
prevent  personal  strain  or  dropping  hazards, 
eliminating  sharp  edges  or  projections,  consid- 
ering proximity'  of  parts  or  subassemblies  to 
dangerous  items  or  conditions  (high  tempera- 
tures, moving  machinery,  etc.).  One  trade-off 
which  must  be  carefully  evaluated  for  its 
effect  on  reliability  or  maintainability',  is  the 
use  of  remote  control  devices  to  isolate  opera- 
tors from  safety  hazards.  These  devices  may, 
themselves,  create  reliability'  or  maintain- 
ability difficulties,  or  may  increase  system 
engineering  efforts  unacceptably,  or  decrease 
system  effectiveness  through  influences  on 
reliability  and/or  maintainability.  In  almost 
all  cases,  remote  control  devices  will  increase 
system  costs  and  development  time.  Remote 
control  devices  also  will  create  their  own 
unique  problems  of  component,  subassembly, 
or  subsystem  interfaces  and  interactions. 

* i 

The  references  at  the  end  of  this  chap- 
ter discuss  in  greater  detail  the  design  objec- 
tives, interactions,  and  trade-offs  associated 
with  safety.  Safety  terms,  for  example,  are 
defined  in  Ref.  3,  while  Refs.  18  and  19 
give  military  policies,  guidelines,  and  objec- 
tives for  system  safety.  Other  approaches  to 
safety  are  discussed  in  Refs.  20-25.  Ref.  22 
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in  particular  treats  the  subject  of  safety  /re- 
liability relationships  and  trade-offs,  and  pro- 
vides additional  information  on  analytic 
methods,  including  FMEA  and  Fault  Trees. 

1-7  SUMMARY 

Consideration  of  interactions  and  trade- 
offs must  not  be  limited  to  the  solution  of 
problems  that  are  easily  identified  or  solved. 
Too  often,  a problem  that  is  difficult  to 
handle  is  simply  ignored  or  treated  with  an 
expedient  fix.  Invariably,  it  is  these  fixes  and 
ignored  problems  that  reappear  as  major 
obstacles  to  schedule  milestones  and  attain- 
ment of  technical  objectives,  cr  contribute  to 
coat  overruns.  Comprehensive  trade-off  and 
interaction  studies  must  be  made,  therefore, 
in  the  initial  design  phases,  so  alternatives  can 
be  applied  intelligently  to  preclude  these 
downstream  obstacles. 

The  heavy  emphasis  on  trade-offs  in  this 
chapter  does  not  mean  that  the  designer  is 
always  faced  with  hade-off  difficulties.  In 

many  situations,  what  is  good  for  reliability  is 
goad  for  safety,  maintainability,  etc.;  i.e,, 
some  things  are  just  good  all  around. 

As  the  gap  between  design  drawings  and 
actual  hardware  narrows  in  the  engineering 
development  phase,  the  importance  of  trade- 
offs, interactions,  and  thorough  studies  in 
each  system  discipline  increases.  Schedules 
and  costs  become  critical  restraints,  and 
changes  to  the  system  must  be  made  prompt- 
ly and  only  when  actually  needed.  Many  pro- 
grams have  suffered  schedule  and  cost  over- 
runs in  production,  for  example,  because 
effective  studies  either  were  not  made,  or 
were  not  used  intelligently  to  identify  and 
correct  difficulties.  An  error  invariably  costs 
more  to  correct  during  production  (or  later) 
phases  than  it  would  if  the  same  solution  had 
been  found  and  implemented  during  earlier 
phases.  In  some  cases,  tooling  must  be  modi- 
fied of  even  discarded  and  new  tooling  fabri- 
cated, parts  must  be  scrapped  or  modified, 
engineering  drawings  must  be  changed,  cost 
proposals  must  be  prepared  for  changes,  and 
new  studies  must  be  made  to  evaluate  the 
impact  and  interactions  created  by  these 
changes.  These  activities  require  the  time  and 
talents  c£  the  engineers  and  managers  who 
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otherwise  could  be  concentrating  on  provid- 
ing the  Army  with  an  effective  system,  rather 
than  solving  problems  that  should  have  been 
found  and  corrected  earlier  and  with  less 
effort.  Thus,  the  importance  c£  thorough, 
comprehensive  trade-off  and  interaction 
studies  cannot  be  overemphasized,  although 
the  cost  for  this  extra  effort  must  be  provided 
for. 

From  the  reliability  viewpoint,  the  cost 
of  designing  to  reduce  the  probability  of  an 
unwanted  event  is  usually  less  than  the  subse- 
quent cost  to  redesign  and  correct  the  result- 
ing system  problems.  The  loss  created  by  the 
failure  or  malfunction,  for  example,  must 
include  system  damage  plus  losses  of  time, 
mission  objectives,  and,  perhaps,  the  lives  of 
people  associated  with  the  correct  functioning 
of  the  system.  With  this  viewpoint,  the 
reliability  engineer  must  answer  the  follow  ing 
question:  Does  the  initiation  of  a given 

corrective  action  sufficiently  reduce  the  prob- 
ability of  an  unwanted  event  to  make  the 
action  worthwhile?  This  is  a tough  question 
to  answer.  Fortunately,  the  reliability  engi- 
neer is  aided  in  his  decision  by  the  other 
system  engineering  disciplines.  The  safety 
engineer,  for  example,  can  evaluate  the  risk  to 
operators  or  other  system  personnel  in  the 
vicinity  of  the  failure,  and  the  human  factors 
engineer  can  evaluate  the  responses  of  person- 
nel to  the  failure  to  aid  in  predicting  sec- 
ondary accidents  (injuries  resulting  fircm 
human  reactions  to  the  failure). 

In  designing  for  reliability,  interactions 
and  trade.-offs  should  be  applied  to  overall 
system  objectives  as  they  relate  to  future 
improvements  in  technology,  expansions  of 
system  capabilities,  and  variations  in  predic- 
ted enemy  actions  and  equipment.  In  other 
words,  consideration  should  be  given  to 
designing  some  capacity  into  military  systems 
to  assimilate  improvements  throughout  the 
life  cycle.  In  the  vehicle  tire  discussion  of  par. 
1-3, for  example,  if  technology  did  not  permit 
fabrication  of  a tire  capable  of  reliable  opera- 
tion in  90  mph.  110°F,  and  jagged  surface 
environments,  and  if  desired  military  objec- 
tives included  these  environments,  then 
system  design  should  plan  for  eventual  devel- 
opment of  such  a tire-  These  plans  would 
include  increased  braking  capacity  for  the 
higher  speeds,  better  susj>ensions  for  the  jag- 
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ged  surfaces,  sturdier  wheels  and  bearings,  and 
other  related  aspects-  Another  approach  to 
designing  for  the  future  involves  the  use  of 
high  reliability  components  in  a system  having 
components  with  relatively  low  reliability. 
The  standard  argument  against  this  approach 
is  that  the  low  reliability  components  act  as 
“weak  links  in  the  chain”  and,  thereby, 
negate  the  advantages  of  the  high  reliability 
items.  If,  however,  these  relatively  unreliable 
parts  subsequently  are  improved  to  higher 
reliabilities  during  the  system  lifetime,  the 
overall  system  improvement  cost  is  confined 
to  replacing  the  low  reliability'  items  with 
their  improved  versions,  rather  than  having  a 
complete  system  overhaul  or  redesign  to  up- 
grade all  components.  The  technique  of 
designing  for  the  future,  however,  must  be 
evaluated  carefully  against  actual  needs.  There 
are  cases  where  such  design  measures  are  not 
appropriate.  If  the  system  lifetime  is  short 
compared  with  the  anticipated  development 
time  of  better  components,  planning  for  sub- 
sequent incorporation  of  these  more  reliable 
parts  would  not  be  practical.  Similarly,  if  the 
system  reliability'  is  already  at  or  above  the 
actual  requirement  for  its  application,  then  a 
reliability  “overkill”  might  be  wasteful. 

This  chapter  has  presented  the  elements 
of  system  engineering  and  their  relationships 
to  one  another  and  to  reliability.  The  intent 
has  been  to  provide  an  overall  perspective  of 
system  engineering  and  the  role  of  reliability' 
in  this  system  development  process.  Other  dis- 
ciplines such  as  quality  assurance,  value  engi- 
neering, logistic  engineering,  manufacturing, 
and  production  engineering  also  contribute  to 
system  development,  interact  with  reliability 
studies,  and  create  their  own  unique  trade- 
offswith  system  parameters. 
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CHAPTER  2 THE  ENVIRONMENT 


2-1  INTRODUCTION 

A series  of  the  Engineering  Design  Hand- 
books deals  explicitly  and  in  detail  with  envi- 
ronmental problems:  Fefs.  1,10,  17,  18,and 
19.  This  chapter  gives  a brief  sumiery  of 
some  of  the  elements  of  the  environment. 
Those  Handbooks  should  be  consulted  for 
specific  information. 

Some  miscellaneous  aspects  of  environ- 
ment vs  reliability  are  covered  in  Refs. 
11-16. 

2-1.1  MILITARY  OPERATIONS 

Practically  all  military'  operations  require 
information  about  the  environment.  In  addi- 
tion, the  materiel  and  equipment  used  during 
these  operations  must  provide  satisfactory' 
performance  in  the  environment.  Consequen- 
tly, design  and  development  engineers  must 
be  familiar  with  the  reliability  aspects  of  envi- 
ronmental influences  and  with  methods  used 
^ to  prevent  or  reduce  significant  adverse 

effects  due  to  the  environment.  Some  general- 
ization is  possible  for  both  the  influences  and 
the  methods  used  to  compensate  for  the 
effects,  but  the  limits  established  for  each 
must  be  reasonable.  Unless  design,  test,  and 
evaluation  criteria  are  based  upon  a realistic 
model,  the  results  will  show  only  that  the 
design  operates  satisfactorily  within  the  arti- 
ficial conditions  of  the  environmental  model. 
Whether  designing  equipment  or  devising  envi- 
ronmental tests,  there  are  two  basic  consid- 
erations : 

(1)  Decide  which  environmental  factors 
are  important  because  their  effects  might  be 
adverse  to  military'  operations. 

(2)  Determine  which  of  these  conditions 
are  most  likely  to  occur. 

Both  considerations  require  knowledge  of 
environmental  elements  and  factors,  but  the 
first  also  involves  a study  of  military'  activities 
and  equipment  that  may  be  affected  by  the 
environment. 


2-1.2  PREDICTING  ENVIRONMENTAL 
CONDITIONS 

Basically,  there  are  two  parts  of  the  envi- 
ronmental problem: 

(1)  A consideration  of  the  properties  or 
characteristics  of  the  environment. 

(2)  An  analysis  of  the  effects  caused  by 
the  environment. 

The  first  part  leads  to  a division  of  the  envi- 
ronment into  three  broad  categories:  (1) 
man-independent,  (2)  man-made,  and  (3) 
man-altered.  Man-independent  environment  is 
an  ambient  condition  and  consists  of  climate, 
terrain,  vegetation,  and  other  elements  exist- 
ing at  or  near  the  surface  of  the  earth.  Man- 
made environment  involves  conditions  such  as 
radioactivity'  and  shock  waves  from  nuclear 
explosions,  air  pollution  from  fuel  combus- 
tion, and  interference  from  electromagnetic 
wave  generation.  Man-altered  environment 
results  fran  the  interaction  between  man- 
independent  conditions  and  man’s  activities; 
for  example,  increased  ground  and  air  temper- 
atures caused  by  cities,  erosion  and  decreased 
ground  moisture  levels  due  to  removal  of 
vegetation,  and  ecology'  modification  by 
chemicals  and  pesticides.  Since  Categories  2 
and  3 pertain  to  conditions  caused  by  man, 
they  usually  are  combined  into  one  category 
called  induced  environment. 

AMCP  706-115  (Ref.  l)divides  environ- 
mental characteristics  into  elements  and  fac- 
tors, which  are  defined  as: 

(1)  Element:  a broad  and  qualitative 

term  such  as  climate,  terrain,  etc. 

(2)  Factor:  a constituent  cf  an  element 
which  can  be  measured  quantitatively.  Fac- 
tors of  the  weather,  for  example,  are  temper- 
ature, wind,  rain,  etc.;  factors  of  terrain  are 
elevation,  soil,  soil  moisture,  etc. 

Thus,  there  are  three  basic  environmental 
elements:  (1)  climatic,  (2)  terrestrial,  and  (3) 
induced.  Environmental  factors  associated 
with  each  of  these  three  elements  are  shown 
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TABLE  2-1  MAJOR  ENVIRONMENTAL  FACTORS' 


CLIMATIC 

TERRESTRIAL 

INDUCED 

Temperature 

Elevation 

Shock 

Solar  Radiation 

Surface  Contour 

VibratidTr 

Atmospheric  Pressure 

Soil 

Acceleration 

Precipitation 

Subsoil 

Nuclear  Radiation 

Humidity 

Surface  Water, 

Electromagnetic  Radiation 

Ozone 

Subsurface  Water 

Airborne  Contaminants 

Salt  Spray 

Vegetation 

Acoustic  Noise 

Wind 

Animals,  Insects 

Thermal  Energy 

Blowing  Sand  and  Dust 
Ice  or  Frost  Formation 
Fog 

Microbiological 

Modified  Ecology 

in  Table  2-1  (adapted  firm  Ref.  1).  Specific 
combinations  of  individual  factors  and  the 
frequency  and  intensity'  with  which  each  fac- 
tor occurs  in  the  combination  are  associated 
with  geographical  environmental  classifica- 
tions such  as  arctic,  desert,  tropic,  and  tem- 
perate. The  tropic,  for  example,  has  tempera- 
tures ranging  from  moderate  to  high,  heavy 
rainfall  and  high  humidity,  dense  vegetation, 
many  animals  and  insects,  many  microbio- 
logical factors,  and  moderate  to  high  levels  of 
solar  radiation.  From  a design  standpoint, 
these  factors  are  important.  High  ambient 
tenperatures,  for  example,  increase  the  opera- 
ting temperatures  in  heat-sensitive  equipment. 
Similarly,  high  humidity  and  microbiological 
factors  encourage  corrosion  and  fungus. 
Dense  vegetation  requires  that  protrusions, 
such  as  an  antenna,  either  be  mechanically 
protected  or  made  sufficiently  flexible  to  pre- 
clude breaking.  If  a piece  of  equipment,  a jeep 
for  example,  must  function  in  arctic  and 
tropical  environments,  the  design  problems 
would  include  protection  against  freezing, 
etc.,  along  with  the  protective  measures 
included  for  tropic  qperaticn. 

Inherent  in  the  prediction  of  environ- 
mental conditions  is  the  implication  that 
frequency,  duration,  intensity,  and  inter- 
actions among  factors  also  will  be  considered. 
For  example,  wind  causes  blowing  sand  and 
dust  in  the  desert,  salt  spray  on  the  ocean. 


and  lower  effective  temperatures  (due  to  the 
windchill  factor)  in  the  arctic.  Conversely,  the 
manner  and  rate  of  the  reactions  of  the  item 
to  the  effects  of  environmental  factors  may 
change  with  the  intensity,  duration,  or  fre- 
quency cf  the  factors.  An  air  filter  on  a jeep 
may  function  satisfactorily  in  a desert  envi- 
ronment, even  though  above  average  amounts 
c£  dust  and  sand  are  present.  But  if  this  jeep 
were  involved  in  a dust  or  sand  storm,  the 
increased  intensity  and  duration  c£  blowing 
sand  and  dust  might  cause  the  filter  to 
become  clogged  and  inoperative. 

Environmental  prediction  methods 
require  some  numerical  means  of  expressing 
intensities,  frequencies,  etc.,  hence,  the  effec- 
tiveness of  the  prediction  will  depend  upon 
the  quantification  techniques  and  how  they 
are  applied  fo  the  relationships  among  con- 
tributing factors  and  between  individual 
factors  and  their  effects.  Usually,  environ- 
mental specialists  deal  with  environmental 
factors  in  a form  suitable  for  numerical  meas- 
uring and  recording,  while  military  users  com- 
monly express  environmental  conditions  in 
terms  of  geographical  environmental  features, 
or  as  combinations  of  factors. 

Thus,  the  problem  of  designing,  testing, 
and  evaluating  for  environmental  conditions 
becomes  one  of  determining  the  most  prob- 
able operating  extremes  and  evaluating  the 
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effects  on  the  design  within  these  extremes. 
To  this  end.  several  approaches  have  been 
developed,  including  an  operational  analysis 
(Ref.  2),  a map-type  presentation  showing 
geographical  (environmental)  areas  where 
environmental  design  limits  would  be  exceed- 
ed for  specific  types  of  equipment  (Ref.  3), 
and  the  use  of  computers  to  analyze  data  on 
environmental  conditions. 

2-2  EFFECTS  OF  THE  ENVIRONMENT 

2-2.1  GENERAL  CATEGORIES 

System  failures  due  to  environmental 
influences  can  be  divided  into  two  kinds  of 
effects:  (l)mechanical  and  (2)  functional. 
Although  both  effects  prevent  the  system 
from  satisfactorily  performing  its  intended 
mission,  only  mechanical  effects  represent  an 
actual  defect  or  failure  of  one  or  more  com- 
ponents. The  functional  effects  encompass 
system  functions  that  have  been  altered 
adversely  or  impeded  by  environmental  influ- 
ences. The  jeep  filter  mentioned  in  par.  2-1.2, 
for  example,  was  clogged  and  rendered 
inoperative  by  sand  and  dust.  The  sand  and 
dust  environment  caused  the  filter  to  fail  and. 
therefore,  is  a mechanical  effect.  On  the  other 
hand,  blowing  sand  and  dust  would  have  a 
functional  effect  on  an  optical  rangefinder: 
since  the  visibility  would  be  reduced  and  the 
otherwise  functional  rangefinder  rendered 
unable  to  perform  its  intended  function. 
Table  2-2  (Ref.  4)  shows  some  principal 
effects  and  typical  induced  failures  caused  by 
environmental  factors. 

2-2.2  COMBINATIONS  OF  NATURAL  EN- 
VIRONMENTAL FACTORS 

2-2.2.1  Evaluation  of  Environmental  Charac- 
teristics 

The  characteristics  of  an  environment  are 
determined  by  which  environmental  factors 
are  present  and  how  these  factors  combine. 
Each  of  these  two  areas  must  be  considered 
when  evaluating  environmental  character- 
istics. The  first  one,  which  factors  are  present, 
is  the  easier  to  handle  and  usually  involves 
listing  of  all  pertinent  environmental  factors 
that  may  adversely  affect  the  proposed  design 


and  the  significant  properties  of  each  factor, 
such  as  amount,  frequency,  duration,  and 
force;  these  data  have  been  used  €or  some 
time,  and  are  reasonably  available  for  many 
geographical  areas.  How  environmental  fac- 
tors combine,  however,  is  more  difficult  since 
one  factor  may  cause  another  factor  to  occur 
(wind,  for  example,  causing  blowing  sand  or 
dust),  or  may  intensify  other  factors  (rain 
causing  increased  humidity),  or  may  even 
decrease  the  effects  of  another  factor  (solar 
radiation  causing  a decrease  or  even  elimina- 
tion of  fungous  or  microbiological  effects). 
Thus,  each  factor  and  its  associated  properties 
must  be  compared  with  all  other  possible  fac- 
tors to  identify  and  evaluate  possible  adverse 
combinations. 

2-2. 2.2  Combinations 

Environmental  conditions  always  occur 
as  combinations  of  factors.  For  any  given 
situation,  there  always  will  be  such  factors  as 
pressure,  temperature,  and  humidity,  even 
though  the  values  of  each  factor  may  be  con- 
sidered normal  for  the  situation.  Usually, 
specific  environmental  combinations  axe 
identified  by  the  factors  that  deviate  signifi- 
cantly from  their  normal  values.  Thus,  the 
duration,  frequency,  and  intensity7  with  which 
each  factor  occurs  are  the  important  consid- 
eration, rather  than  the  actual  combination  of 
factors,  because  these  abnormal  factors  are 
usually  the  ones  that  cause  poor  reliability. 
For  example,  even  though  the  humidity  is 
zero,  the  humidity7  factor  is  still  present,  and 
the  reliability  difficulty  for  zero  humidity  is 
desiccation,  as  shown  in  Table  2-2.  Of  course, 
the  situation  could  exist  where  zero  humidity 
is  desirable.  In  this  case,  even  though  zero 
humidity  is  not  a difficulty,  it  still  represents 
an  important  design  consideration  in  the  sense 
that  devices  to  reduce  the  humidity  may  not 
be  required. 

In  most  combinations,  extreme  values  of 
environmental  factors  occur  individually, 
although,  as  pointed  out  in  par.  2-2. 2.1,  the 
interrelationships  between  combined  factors 
significantly  can  affect  the  expected  values  of 
individual  factors.  In  some  cases,  however, 
because  of  their  combining  relationships,  an 
extreme  of  one  factor  may  intensify  another 


2-3 


AMCP  706-196 


TABLE  2-2.  ENVIRONMENTAL  EFFECTS 


FACTOR 

PRINCIPAL  EFFECTS 

TYPICAL  FAILURES  INDUCED 

(SEE  NOTfe  2) 

High  temperature 

Thermal  aging: 

Insulation  failure 

Oxidation 

Structural  change 

Alteration  of  electrical  properties 

Chemical  reaction 

- 

Softening  melting,  and  sublima- 
tion 

Structural  failure  - 

Viscosity  reduction,  and  evapora- 
tion 

Loss  of  lubricating  properties 

Physical  expansion 

Structural  failure,  increased  mechanical  stress, 
and  increased  wear  on  moving  parts 

Low  temperature 

Increased  viscosity  and 

solidification 

Loss  of  lubricating  properties 

Ice  formation 

Alteration  of  electrical  or  mechanical 
functioning 

Embrittlement 

Loss  of  mechanical  strength  (see  note  1), 
cracking,  fracturing 

Physical  contraction 

Structural  failure,  increased  wear  on  moving 

parts 

High  relative 

Moisture  absorption 

Swelling,  rupture  of  container,  physical  break- 

humidity 

down,  loss  of  electrical  strength 

Chemical  reaction: 

Loss  of  mechanical  strength 

Corrosion 

Interference  with  function,  loss  of  electrical 

Electrolysis 

properties,  increased  conductivity  of 
insulators 

ow  relative 

Desiccation: 

Loss  of  mechanical  strength 

humidity 

Embrittlement 

Structural  collapse 

Granulation 

Alteration  of  electrical  properties,  "dusting" 

High  pressure 

Compression 

Structural  collapse 
Penetration  of  sealing 
Interference  with  function 

Low  pressure 

Expansion 

Fracture  of  container,  explosive  expansion 

Outgassing 

Alteration  of  electrical  properties,  less  of 
mechanical  strength 

Reduced  dielectric 

Insulation  breakdown  and  arcing  corona  and 

strength  of  air 

ozone  formation 

Solar  radiation  . 

Actinic  and  physicochemical 

Surface  deterioration,  alteration  of  electrical 

reactions: 

properties 

Embrittlement 

Discoloration  of  materials,  ozone  formation 

Sand  and  dust 

Abrasion 

Increased  wear 

Clogging 

Interference  with  function,  alteration  of 
electrical  properties 

241 


AMCP  706-196 


TABLE  2-2.  .ENVIRONMENTAL  EFFECTS  (corn'd! 


FACTOR 

PRINCIPAL  EFFECTS 

TYPICAL  FAILURES  INDUCED 

(SEE  NOTE  2) 

Salt  spray 

Chemical  reactions: 
Corrosion 

Electrolysis 

Increased  wear,  loss  of  mechanical  strength 
Alteration  of  electrical  properties  interference 
with  function 

Surface  deterioration  structural  weakening 
increased  conductivity 

Wind 

Force  application 

Deposition  of  materials 

Heat  loss  (low  velocity  wind) 
Heat  gain  (high  velocity  wind) 

Structural  collapse,  interference  with  function, 
loss  of  mechanical  strength 
Mechanical  interference  and  clogging  acceler- 
ated abrasion 

Accelerated  low-temperature  effects 
Accelerated  high-temperature  effects 

Rain 

Physical  stress 

Water  absorption  and  immersion 

Erosion 

Corrosion 

Structural  collapse 

Increase  in  weight,  increased  heat  removal, 
electrical  failure,  structural  weakening 
Removal  of  protective  coatings,  structural 
weakening,  surface  deterioration 
Enhanced  chemical  reactions 

Blowing  snow 

Abrasion 

Clogging 

Increased  wear 
Interference  with  function 

Temperature  shock 

Mechanical  stress 

Structural  collapse  or  weakening,  seal  damage 

High  speed 
particles  (nuclear 
irradiation) 

Heating 

Transmutation  and  ionization 

Thermal  aging,  oxidation 

Alteration  of  chemical,  physical,  and  electrical 
properties;  production  of  gases  and  secondary 
particles 

Zero  gravity 

Mechanical  stress 

Absence  of  convection  cooling 

Interruption  of  gravity-dependent  functions 
Aggravation  of  high-temperature  effects 

Ozone 

Embrittlement 

Granulation 

Reduced  dielectric  strength  of  air 

properties 

Loss  of  mechanical  strength 
Interference  with  function 
Insulation  breakdown  and  arcing 

Explosive  de- 
compression 

Severe  mechanical  stress 

Rupture  and  cracking  structural  collapse 

Dissociated  gases 

Chemical  reactions: 
Contamination 
Reduced  dielectric  strength 

Alteration  of  physical  and  electrical  properties 
Insulation  breakdown  and  arcing 

Acceleration 

Mechanical  stress 

Structural  collapse 
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TABLE  2-2.  ENVIRONMENTAL  EFFECTS  (cont'd) 


FACTOR 

PRINCIPAL  EFFECTS 

TYPICAL  FAILURES  INDUCED 

(SEE  NOTE  2) 

Vibration 

Mechanical  stress 

Loss  of  mechanical  strength  interference  with 
function,  increased  wear 

-v 

Fatigue 

Structural  collapse 

Magnetic  fields 

Induced  magnetization 

Interference  with  function,  alteration  of 
electrical  properties,  induced  heating 

1.  This  is  not  necessarily  true  for  metals.  Low  temperature  raises  tensile  strength 
and  stiffr.es*  but  reduces  deformation  and  toughness  for  metals.  Metals  have 
many  different  failure  mechanisms;  a metallurgist  ought  to  be  consulted. 

2.  In  general,  the  following  terms  may  be  applied  to  semiconductors  and  dielectrics: 
a Alteration  of  electrical  properties:  increase  or  decrease  of  dielectric  constant. 

b.  Loss  of  electrical  properties:  decrease  of  dielectric  constant  to  the  extent 
that  the  material  fails  to  serve  its  design  function. 

c.  Loss  of  electrical  strength:  breakdown  of  arc-resistance. 


factor  until  it,  too,  may  approach  an  extreme 
value.  Heavy  rainfall,  for  example,  will  cause 
the  relative  humidity  to  reach  an  extreme 
value.  Similarly,  solar  radiation  and  tempera- 
ture also  may  exist  simultaneously  as  extreme 
values. 

AR  70-38  (Ref.  5)  discusses  climatic  envi- 
ronmental factors  and  their  extremes  from 
the  viewpoint  a£  military  importance  and 
relationship  to  research,  development,  test, 
and  evaluation  of  materiel.  Fig.  2-1  (Ref.  6) 
illustrates  the  environmental  extremes  and 
how  they  vary  relative  to  latitude  at  the  sur- 
face of  the  earth,  Similarly,  Fig.  2-2  (Ref.  6) 
shows  the  distribution  of  extremes  at  these 
latitudes  for  various  altitudes  above  the  sur- 
face of  the  earth.  Both  figures  are  very  quali- 
tative and  do  not  represent  actual  values  (no 
vertical  scale  is  shown).  Additionally,  since 
the  extremes  do  not  occur  all  at  the  same 
time,  these  figures  do  not  represent  realistic 
combinations. 

Thus,  it  is  necessary  to  consider  environ- 


90  60  30  O 30  60  90 

N Latitude  S 


FIGURE  2-1.  Latitudinal  Distribution  of 
Environmental  Extremes'* 
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FIGURE  2-2.  Semispatial  Distribution  of  Environ- 
mental Extremes’ 


mental  combinations  of  factors  at  values 
somewhat  below  their  extremes.  One  method 
is  to  select  the  most  significant  environmental 
factor  and  establish  its  probable  extreme 
value.  Next,  determine  the  second  most  signif- 
icant factor  and  assign  it  the  highest  value 
that  occurs  naturally  with  the  first  factor. 
Then,  the  third  most  significant  factor  is 
identified,  and  its  highest  value  occurring  with 
the  values  of  the  first  two  factors  is  determin- 
ed. This  relative  ranking  system  is  continued 
in  descending  order  of  significance  and  values 
until  the  last  pertinent  factor  has  been  consid- 
ered. Obviously,  this  method  can  result  in  an 
extremely  large  number  of  possible  combina- 
tions, since  the  number  of  combinations 
increases  as  the  factorial  of  the  number  of 
factors  involved.  Ten  factors,  for  example, 
provide  10!  = 3,628,800  possible  combina- 
tions. Thus,  a more  reasonable  approach  is 
needed.  Since  a possible  combination  may  not 
be  a practical  combination  from  a reliability 
viewpoint,  a study  of  practical  combinations 
will  be  more  useful. 

2-2.2.3  Practical  Combinations 

A comparison  of  temperature  with  every 
other  pertinent  factor  is  a reasonable  begin- 
ning in  analyzing  multiple  combinations.  One 
approach  is  to  compare  temperature  to  other 
factors  graphically  as  shown  in  Fig.  2-3  (Ref. 
6).  Since  Fig.  2-3  is  intended  only  to  illustrate 
a technique,  no  vertical  scales  are  shown  for 


,F 

FIGURE  2-3.  Comparison  Between  Temperature  and 
Other  Environmental  Factors6 


the  environmental  factors,  and  hypothetical 
variations  are  indicated  versus  temperature 
(hot  to  the  left,  cold  to  the  right).  Depending 
upon  the  specific  analytic  requirements,  wind, 
for  example,  could  be  expressed  as  speed  in 
miles-per-hour,  pressure  in  pounds  per  square 
inch,  etc.  Similarly,  snow  could  be  denoted  as 
depth  in  inches,  load  bearing  on  a structure  in 
pounds  per  square  inch,  etc.  After  completing 
the  initial  graphical  analysis,  a third  factor  can 
be  included.  For  example,  an  evaluation  could 
be  made  in  which  the  occurrence  of  tempera- 
ture, wind,  and  blowing  snow  is  considered  as 
a possible  combination.  Meteorological  data 
for  each  factor  then  can  be  compared  statis- 
tically with  the  values  for  the  other  factors, 
and  probabilities  determined  and  compared. 
Thus,  the  probability  that  “specific  values  (or 
ranges)  for  each  factor  occur  with  specific 
values  (or  ranges)  of  the  other  factors”  wijl 
provide  a weighting  or  relative  ranking  se- 
quence for  evaluating  the  selected  combina- 
tion. Since  some  combinations,  although  envi- 
ronmentally practical,  will  only  occur  in 
specific  geographical  areas,  they  can  be  elimi- 
nated from  the  analysis  if  the  equipment  will 
not  be  used  in  these  areas.  On  the  other  hand, 
local  environmental  peculiarities  must  be  con- 
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sidered  carefully  in  any  study,  since  they  may 
create  effects  that  o ;herwise  would  go  unde- 
tected in  a generalii  ed  analysis  over  a large 
area.  Furthermore,  nany  optimistic  predic- 
tions of  the  future  me  wrong;  "if  the  worst 
can  happen,  it  will  happen." 

In  addition  to  the  graphical  approach, 
environmental  factors  may  be  combined  in 
pairs  and  analyzed  by  a chart  similar  to  Table 
2-3  (Ref.  7).  The  techniques  involved  in 
developing  a chart  are  similar  to  those  for  the 
graphical  method,  and  the  same  general  com- 
ments apply  to  both  approaches. 

2-2-3  COMBINATIONS  OF  INDUCED 
ENVIRONMENTAL  FACTORS 

All  environmental  conditions  are  influ- 
enced to  some  extent  by  the  presence  of  man 
or  man's  products.  The  basic  act  of  breathing, 
for  example,  consumes  oxygen  and  releases 
carbon  dioxide  and  water  vapor  into  the 
atmosphere.  While  the  breathing  of  one  man 
in  the  middle  of  a forest  will  not  cause  a 
noticeable  change  in  the  concentrations  of 
oxygen,  water  vapor,  or  carbon  dioxide,  the 
change  is  extremely  important  in  the  closed 
atmosphere  of  a spacecraft  life-support 
system.  Similarly,  the  motion  of  a hydraulic 
piston  causes  shock  and  vibration,  and  the 
piston  operating  pressure  and  friction  create 
heat.  If  the  piston  ir  take  stroke  allows  mois- 
ture to  enter  the  cylinder,  the  moisture  may 
cause  corrosion  which,  in  turn,  could  lead  to 
increased  friction,  neater  wear,  and  addi- 
tional heat.  Any  contaminants,  such  as  sand 
or  dust,  that  enter  the  cylinder  with  the 
moisture  will  also  contribute  to  increased 
friction,  wear,  and  leat.  Even  the  color  of 
paint  used  on  equipment  can  affect  reliability  , 
since  optically  light  colors  such  as  white  or 
silver  also  reflect  significant  amounts  c£  infra- 
red, while  optically  dark  colors  such  as  black 
or  olive-drab  will  cause  higher  internal  tem- 
peratures by  absorbing  infrared.  These  exam- 
ples illustrate  that  induced  environmental 
factors,  either  singly  or  in  combination,  repre- 
sent the  major  environmental  problems  from 
a reliability  view  point. 

2-2.4  ENVIRONMENTAL  ANALYSIS 

After  establishing  the  desired  equipment 


parameters  and  roughing  out  the  initial 
design,  the  designer  ought  to  analyze  the 
probable  operating  environment.  The  results 
can  then  be  applied  to  system  components  to 
determine  the  environments  experienced  by 
individual  components  and  how  these  individ- 
ual environments  will  affect  component 
operation  and  reliability.  Thus,  individual  part 
specifications  can  be  selected  to  compensate 
for  environmental  influences,  rather  than 
having  to  add  environmental  compensating 
methods  after  the  design  has  progressed  to 
more  advanced  stages.  The  environmental 
analysis  must  consider  all  phases  of  the 
mission  profile,  i.e.,  the  equipment  stockpile- 
to-target  sequence.  Some  c£  the  distinct 
phases  that  must  be  evaluated  are  transporta- 
tion, handling,  storage,  standby-idle  time, 
standby-active  tine,  use  cr  operational  tiie, 
and  maintenance.  Each  phase  creates  its  own 
peculiar  influences  on  equipment  reliability. 
The  circulation  c£  air  during  operation,  for 
example,  may  prevent  the  accumulation  of 
moisture  or  dust,  while  the  same  item  in 
storage  may  not  have  this  circulation  and  may 
corrode  or  grow  fungus.  Table  2-4  (adapted 
from  Ref.  6)  shows  some  effects  of  natural 
and  induced  environments  during  the  various 
phases  of  the  lifetime  of  an  item.  Table  2-5 
(adapted  from  Ref,  6)provides  reliability'  con- 
siderations for  pairs  of  environmental  factors. 
Ref.  7 gives  more  information  on  combina- 
tions of  environments. 

2-3  DESIGNING  FOR  THE  ENVIRON- 
MENT 

Equipment  failures  have  three  convenient 
classifications : 

(1)  Poor  design  or  incorrect  choice  of 
materials  or  components 

(2)  Inadequate  . quality  control  which 
permits  deviations  from  design  specifications 

(3)  Deterioration  caused  by  environ- 
mental effects  car  influences. 

The  perceptive  reader,  at  this  point,  will.  have 
observed  that  the  first  and  third  classes  are 
related.  Specifically,  the  careful  selection  of 
design  and  materials  can  extend  item  reliabil- 
ity by  reducing  or  eliminating  adverse  envi- 
ronmental effects.  Needless  to  say,  this  is  not 
a profound  thought,  but  merely  one  that  is 
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TABLE  2-5.  VARIOUS  ENVIRONMENTAL  PAIRS6 


High  Temperatureand  Humidity 

High  Temperatureand  Low  Pressure 

High  Temperature  and  SaJt  Spray 

High  Temperature  tends  to  increase 
the  rate  of  moisture  penetration.  The 
general  deterioration  effects  of  humid- 
ity are  increased  by  high  temperatures. 

Each  of  these  environments  depends 
on  the  other.  Forexample,  as  pressure 
decreases,  outgassing  of  constituents 
of  materials  increases;  and  a*  tempera- 
ture increases,  the  rate  of  outgassing 
increaser  Hence,  each  tends  to  inten- 
, sify  the  effects  of  the  other. 

High  temperature  tends  to  increasethe 
rate  of  corrosion  caused  by  salt  spray. 

High  Temperature  and  Solar  Radiation 

High  Temperature  and  Fungus 

High  Temperature  and  Sand  and  Dust 

V 

This  is  a man-independent  combina- 
tion that  causes  increasing  effects  on 
organic  materials. 

A certain  degree  of  high  temperature 
is  necessary  to  permit  fungus  and 
microorganisms  to  grow.  But.  above 
160°F  (71°C)  fungus  and  microorgan- 
isms cannot  develop. 

The  erosion  rate  of  sand  may  be  ac- 
celerated by  high  temperature.  How- 
ever, high  temperatures  reduce- sand 
and  dust  penetration.  \ 

High  Temperatureand  Shock  and 
Vibration 

High  T emperature  and  A cceieration 

High  Temperature  and  Explosive 
Atmosphere 

Since  both  of  these  environments 
affect  common  material  properties, 
they  will  intensify  each  other's  effects. 
The  amount  that  the  effects  ay  inten- 
sified depends  on  the  magnitude  of 
each  environment  in  the  combination 
Plastics  and  polymers  are  more  sus- 
ceptible to  this  combination  than 
metals,  unless  extremely  high  tempera- 
tures are  involved. 

This  combination  produces  the  same 
effect  as  high  temperature  and  shock 
andvibration. 

Temperature  has  very  little  effect  on 
the  ignition  of  an  explosive  atmos- 
phere, but  it  does  affect  the  air-vapor 
ratiowhich  is  an  important  considera- 
tion. 

Low  Temperature  and  Humidity 

High  Temperatureand  Ozone 

Humidity  decreases  with  temperature; 
but  la»  temperature  induces  moisture 
condensation,  and,  if  the  temperature 
is  low  enough,  frost  or  ice. 

Starting  et  about  300=F  (150°C), 
temperature  starts  to  reduce  ozone. 
Above  about  520°F  (270°C)  ozone 
cannot  exist  at  pressures  normally  en- 
countered. 

Low  Temperatureand  Solar  Radiation 

Low  TemperatunTand  Low  Pressure 

Low  Temperature  and  Salt  Spray 

Low  temperature  tends  to  reduce  the 
effects  of  solar  radiation,  and  vice 
versa. 

This  combination  can  accelerate  leak- 
age through  seals,  etc. 

Low  temperature  reduces  the  corro- 
sion rate  of  salt  spray. 

Low  Temperature  and  Sand  and  Oust 

Low  Temperature  and  Fungus 

Low  temperature  increases  dust  pene- 
tration. 

Low  temperature  reduces  fungus 
growth.  At  sub-zero  temperatures 
fungi  remain  in  su^ten ded  animation. 
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TABLE  2-5.  VARIOUS  ENVIRONMENTAL  PAIRS6  (cont’d)  '1 


Low  Temperature  and  Shock  and 
Vibration 

Low  Temperature  and  Acceleration 

Low  Temperature  and  Explosive 
Atmosphere 

Low  temperature  tends  to  intensify 
the  effects  cf  shock  and  vibration,  it 
is  however,  a consideration  only  at 
very  low  temperatures. 

This  combination  Produces  the  same 
effect  as  low  temperature  and  shock 
and  vibration. 

Temperature  has  very  little  effect  on 
the  ignition  of  an  explosive  atmos- 
phere. It  does  however,  affect  the 
air-vapor  ratio  which  is  an  important 
consideration. 

Low  Temperature  and  Ozone 

Humidity  and  Low  Pressure 

Humidity  and  Salt  Spray 

Ozone  effects  are  reduced  at  lower 
temperatures,  but  ozone  concentra- 
tion increases  with  lower  tempera- 
tures. 

Humidity  increaser  the  effects  of  low 
pressure,  particularly  in  relation  to 
electronic  or  electrical  equipment. 
However,  the  actual  effectiveness  of 
this  combination  is  determined  large- 
ly by  the  temperature 

High  humidity  may  dilute  the  salt 
concentration  but  it  has  no  bearing 
on  the  corrosive  action  of  the  salt. 

Humidity  and  Fungus 

Humidity  and  Sand  and  Dust 

Humidity  and  Solar  Radiation 

Humidity  helps  the  growth  of  fungus 
and  microorganisms  but  adds  nothing 
to  their  effects. 

Sand  and  dust  have  a natural  affinity 
for  water  and  this  combination  in- 
creases deterioration. 

Humidity  intensifies  the  deteriorating 
effects  of  solar  radiation  on  organic 
materials. 

Humidity  and  Vibration 

Humidity  and  Shock  end  Acceleration 

Humidity  and  Explosive  Atmosphere 

This  combination  tends  to  increase 
he  rate  of  breakdown  of  electrical 
material. 

The  periods  of  shock  and  accelera- 
tion are  considered  too  short  for 
these  environments  to  be  affected  by 
humidity 

Humidity  has  no  effect  on  the  igni- 
tion of  an  explosive  atmosphere,  but 
a high  humidity  will  reduce  the  pres- 
sure of  an  explosion. 

Humidity  and  Ozone 

Low  Pressure  and  Salt  Spray 

Low  Pressure  and  Solar  Radiation 

Ozone  reacts  with  moisture  to  form 
hydrogen  peroxide,  which  has  a 
greater  deteriorating  effect  on  plastics 
and  elastomers  than  the  additive 
effects  of  moisture  and  ozone. 

This  combination  is  not  expected  to 
occur. 

This  combination  adds  nothing  to  the 
overall  effects. 

Low  Pressure  and  Fungus 

This  combination  adds  nothing  to  the 
overall  effects. 

Low  Pressure  and  Sand  and  Oust 

Low  Pressure  and  Vibration 

Low  Pressure  and  Shock  or 
Acceleration 

This  combination  only  occurs  in  ex- 
treme ttorms  during  which  small  dust 
particles  are  carried  to  high  altitudes. 

This  combination  intensifies  effects 
in  all  equipment  categories,  but  most- 
ly with  electronic  and  electrical 
equipment. 

These  combinations  only  become  im- 
portant at  the  hyperenvironmental 
levels,  in  combination  with  high 
temperature. 
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TABLE  2-5.  VARIOUS  ENVIRONMENTAL  PAIRS6  (confd) 


Low  Pressure  and  Explosive 
Atmosphere 

— 

Sal?  Spray  and  Fungus 

Salt^Spray  and  Sand  and  Dust 

At  low  pressures  an  electrical  dk- 
charge  is  easier  to  develop,  but  the 
explosive  atmosphere  is  haider  to  ig- 
nite. 

This  is  considered  an  incompatible 
combination. 

Thk  will  have  the  same  combined 
effect  as  humidity  end  sand  and  dust. 

Salt  Spray  and  Vibration 

Salt  Spray  and  Shock  or  Acceleration 

Salt  Spray  and  Explosive  Atmosphere 

This  will  have  the  same  combined 
effect  as  humidity  and  vibration. 

These  combinations  will  produce  no 
added  effects. 

This  is  considered  an  incompatible 
combination. 

Salt  Spray  and  Ozone 

Solar  Radiation  and  Fungus 

Solar  Radiation  and  Sand  and  Dust 

These  environments  have  the  same 
combined  effect  as  humidity  and 
ozone. 

Because  of  the  resulting  heat  from 
solar  radiation,  this  combination 
probably  produces  the  same  com- 
bined effect  as  high  temperature  and 
fungus.  Further,  the  ultraviolet  in  un- 
filtered radiation  is  an  effective  fungi- 
cide. 

It  is  suspected  that  this  combination 
will  produce  high  temperatures. 

Solar  Radiation  and  Ozone 

fungus  and  Ozone 

Solar  Radiationand  Shock  or 
Acceleration 

This  combination  increases  the  rate 
of  oxidation  of  materials. 

Fungus  is  destroyed  by  ozone. 

These  combinations  produce  no  ad- 
ditional effects. 

Solar  Radiation  and  Vibration 

Sand  and  Dust  end  Vibration 

Under  vibration  conditions,  solar  ra- 
diation deteriorates  plastics,  elasto- 
mers, oils,  etc.,  at  a higher  rate. 

Vibration  might  possibly  increase  the 
weering  effects  of  sand  and  dust. 

Shock  and  Vibration 

Vibration  and  Acceleration 

This  combination  produces  no  added 
effect. 

This  combination  produces  increased 
effects  when  encountered  with  high 
temperatures  and  low  pressures  in  the 
hyperenvironmental  ranges. 

Solar  Radiation  and  Explosive 
A tmosphere 

This  combination  produces  no  added 
effects 
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sometimes  forgotten  or  perhaps  relegated  to 
mental  footnotes.  The  environment  is  neither 
forgiving  nor  understanding;  it  methodically 
surrounds  and  attacks  every  component  of  a 
system,  and  when  a weak  point  exists,  the 
equipment  reliability  suffers.  Design  and  reli- 
ability engineers,  therefore,  must  understand 
the  environment  and  its  potential  effects,  and 
then  must  select  designs  or  materials  that 
counteract  these  effects  or  must  provide 
methods  to  alter  or  control  the  environment 
within  acceptable  limits.  Selecting  designs  or 
materials  that  withstand  the  environment  has 
the  advantage  c£  not  requiring  extra  compo- 
nents that  also  require  environmental  protec- 
tion and  add  weight  and  costs. 

In  addition  to  the  obvious  environments 
of  temperature,  humidity,  shock,  and  vibra- 
tion, the  design  engineer  will  create  environ- 
ments by  his  choice  of  designs  and  materials. 
A gasket  or  seal,  for  example,  under  elevated 
temperatures  or  reduced  pressures  may  release 
corrosive  cr  degrading  volatiles  into  the  sys- 
tem. Teflon  may  release  fluorine,  and  poly- 
vinylchloride (PVC)  may  release  chlorine. 
Certain  solid  rocket  fuels  are  degraded  into  a 
jelly-like  mass  when  expo&ed  to  aldehydes  or 
ammonia,  either  of  which  can  come  from  a 
phenolic  nozzle  cone.  These  examples  illus- 
trate that  internal  environments  designed  into 
the  system  can  seriously  affect  reliability. 

Many  aids  are  available  to  design  and  reli- 
ability engineers  in  selecting  materials  and 
components,  e.g.,  the  text.  Deterioration  of 
Materials,  Causes  and  Preventive  Techniques, 
by  Glenn  A.  Greathouse  and  Carl  J.  Wessel 
(Ref.  8).  In  addition,  military  specifications, 
standards,  and  handbooks  provide  both  gen- 
eral and  specific  guidance  on  this  subject. 
Appendix  B lists  data  banks  that  consolidate 
and  evaluate  materials  and  components  from 
the  reliability  viewpoint. 

2-3.1  TEMPERATURE  PROTECTION 

Heat  arid  cold  are  powerful  agents  of 
chemical  and  physical  deterioration  for  two 
very  simple,  basic  reasons: 

(l)The  physical  properties  of  almost  all 
known  materials  are  modified  greatly  by 
changes  in  temperature. 


(2)  The  rate  of  almost  all  chemical  reac- 
tions is  influenced  markedly  by  the  tempera- 
ture of  the  reactants.  A familiar  rule-of-thumb 
for  chemical  reactions  is  that  the  rate  of  many 
reactions  doubles  for  every  -rise  in  tempera- 
ture of  10  degC  (Ref.  8);this  is  equivalent  to 
an  activation  energy  of  about  0.6  eV. 

Basically,  heat  is  transferred  by  three 
methods:  (1)  radiation,  <2L  conduction,  and 

(3)  convection.  One,  or  a 'combination  of 
these  three  methods,  therefore,  is  used  to  pro- 
tect against  temperature  degradation.  High 
temperature  degradation  can  be  minimized  by 
passive  or  active  techniques.  Passive  tech- 
niques use  natural  heat  sinks  to  remove  heat, 
while  active  techniques  use  devices  such  as 
heat  pumps  or  refrigeration  units  to  create 
heat  sinks.  Such  design  measures  as  compart- 
mentation,  insulation  of  compartment  walls, 
and  intercompartment  and  intrawall  air  flow 
can  be  applied  independently  or  in  combina- 
tion. Every  system  component  should  be 
studied  from  two  viewpoints: 

(1) Is  a substitute  available  that  will 
generate  less  heat? 

(2)  Can  the  component  be  located  and 
positioned  so  that  its  heat  has  minimum 
effect  on  other  components? 

For  a steady  temperature,  heat  must  be 
removed  at  the  same  rate  at  which  it  is  gener- 
ated. Thermal  systems  such  as  conduction 
cooling,  forced  convection,  blowers,  direct  or 
indirect  liquid  cooling,  direct  vaporization  or 
evaporation  cooling,  and  radiation  cooling 
must  be  capable  of  handling  both  natural  and 
induced  heat  sources.  Fig.  2-4  compares  the 
effectiveness  of  several  such  methods. 

Passive  sinks  require  some  means  of  pro- 
gressive heat  transfer  from  intermediate  sinks 
to  ultimate  sinks  until  the  desired  heat  extrac- 
tion has  been  achieved.  Thus,  when  heat 
sources  have  been  identified,  and  heat  re- 
moval elements  selected,  they  must  be  inte- 
grated into  an  overall  heat  removal  system,  so 
that  heat  is  not  merely  redistributed  within 
the  system.  Efficiently  integrated  heat 
removal  techniques  can  significantly  improve 
item  reliability. 

Besides  the  out-gassing  of  corrosive  vola- 
tiles when  subjected  to  heat,  almost  all  known 
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FIGURE  2-4.  Comparison  of  Heat  Removal  Methods 6 


materials  will  expand  or  contract  when  their 
temperature  is  changed,  This  expansion  and 
contraction  causes  problems  with  fit  between 
parts,  sealing,  and  internal  stresses.  Local 
stress  concentrations  due  to  nonuniform  tem- 
perature are  especially  damaging,  because 
they  can  be  so  high,  A familiar  example  is  a 
hot  water-glass  that  shatters  when  immersed 
in  cold  water,  Metal  structures,  when  subject- 
ed to  cyclic  heating  and  cooling,  may  ulti- 
mately collapse  due  to  the  induced  stresses 
and  fatigue  caused  by  flexing.  The  thermo- 
couple effect  between  the  juncture  of  two 
dissimilar  metals  causes  an  electric  current 
that  may  induce  electrolytic  corrosion.  Plas- 
tics, natural  fibers,  leather,  and  both  natural 
and  synthetic  rubber  are  all  particularly  sensi- 
tive to  temperature  extremes  as  evidenced  by 
their  brittleness  at  low  temperatures  and  high 
degradation  rates  at  high  temperatures.  Table 
2-6  summarizes  some  of  the  basic  precautions 
for  reliability  at  low  temperatures.  An  always 
present  danger  is  that  in  compensating  for  one 
failure  mode,  the  change  will  aggravate 
another  failure  mode. 

2-3.2  SHOCK  AND  VIBRATION  PROTEC- 
TION 

Basic  structural  design  techniques,  such 
as  proper  component  location  and  selection 


of  suitable  materials,  can  aid  in  protecting  an 
item  against  failure  caused  by  severe  environ- 
mental stresses  from  shock  or  vibration.  One 
factor,  however,  which  is  not  often  consid- 
ered, is  that  the  vibration  of  two  adjacent 
components  or  separately  insulated  subsys- 
tems can  cause  a collision  between  them  if 
maximum  excursions  and  sympathetically 
induced  vibrations  are  not  evaluated  by  the 
designer.  Another  failure  mode,  fatigue  (the 
tendency  €fcr  a metal  to  break  under  cyclic 
stressing  loads  considerably  below  its  tensile 
strength)  is  an  area  of  reliability  concern  due 
to  shock  or  vibmtion.  This  includes  low  cycle 
fatigue,  acoustic  fatigue,  and  fatigue  under 
combined  stresses.  The  interaction  between 
multiaxial  fatigue  and  other  environmental 
factors  such  as  temperature  extremes,  tem- 
perature fluctuations,  and  corrosion  requires 
careful  study.  Stress-strength  analysis  of  com- 
ponents and  parameter  variation  analysis  are 
particularly  suited  to  these  effects.  Destruc- 
tive testing  methods  are  also  very  useful  in 
this  area.  For  one-shot  devices,  several  effi- 
cient nondestructive  evaluation  (NDE) 
methods  are  available-such  as  X ray,  neutron 
radiography,  and  dye-penetrant— which  can  be 
used  to  locate  fatigue  cracks.  Developing’a 
simple  design  that  is  reliable  is  much  better 
than  elaborate  fixes  and  subsequent  testing  to 
redesign  for  reliability. 

In  addition  to  using  proper  materials  and 
configuration,  the  shock  and  vibmtion 
experienced  by  the  equipment  ought  to  be 
controlled.  In  some  cases,  however,  even 
though  an  item  is  properly  insulated  and  isola- 
ted against  shock  and  vibmtion  damage,  repet- 
itive forces  may  loosen  the  fastening  devices. 
Obviously,  if  the  fastening  devices  loosen 
enough  to  permit  additional  movement,  the 
device  will  be  subjected  to  increased  forces 
and  may  fail.  Many  specialized  self-locking 
fasteners  are  commercially  available,  and  fas-1 
tener  manufacturers  usually  will  provide  valu- 
able assistance  in  selecting  the  best  fastening 
methods. 

An  isolation  system  can  be  used  at  the 
source  of  the  shock  or  vibration,  in  addition 
to  isolating  the  protected  component-  The 
best  results  am  obtained  by  using  both 
methods.  Damping  devices  are  used  to  reduce 
peak  oscillations,  and  special  stabilizers 
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TABLE  2-6.  LOW  TEMPERATURE  PROTECTION  METHODS6 


EFFECT 

PREVENTIVE  MEASURES 

Differential  contraction 

Careful  selection  of  materials 

Provision  of  proper  clearance  between  moving  parts 
Use  of  spring  tensioners  and  deeper  pulleys  for 
control  cables 

Uss  of  heavier  material  for  skins. 

Lubrication  stiffening 

Proper  choice  of  lubricants: 

Use  greases  compounded  from  silicones,  diesters  or 
silicone-diesters  thickened  with  lithium  stearate 

Eliminate  liquid  lubricants  wherever  possible. 

Leaks  in  hydraulic  systems 

Use  of  lowtemperature  sealing  and  packing  compounds, 
such  as  silicone  rubbers. 

Stiffening  of  hydraulic  systems 

Lfee  of  proper  lowtemperature  hydraulic  fluids. 

Ice  damage  caused  by  freezing 

of  collected  water 

Elimination  of  moisture  by: 
Provision  of  vents 
Ampte  draining  facilities 
Eliminating  moisture  pockets 
Suitable  heating 
Sealing 

Desiccation  of  air. 

Degradation  of  material  prop- 

erties and  component  reliability 

Careful  selection  of  materials  and  components  with 
satisfactory  lowtemperature  capabilities. 

employed  when  unstable  configurations  are 
involved.  Typical  examples  of  dampeners  are 
viscous  hysteresis,  friction,  and  air  damping. 
Vibration  isolators  commonly  are  identified 
by  their  construction  and  material  used  for 
the  resilient  element  (rubber,  coil  spring, 
woven  metal  mesh,  etc.).  Shock  isolators 
differ  frcm  vibration  isolators  in  that  shock 
requires  stiffer  springs  and  a higher  natural 
frequency  for  the  resilient  element.  Some  of 
the  types  of  isolation  mounting  systems  are 
underneath,  over-'and-under,  and  inclined  iso- 
lators. 

A specific  component  may  initially 
appear  to  be  sufficiently  durable  to  withstand 
the  anticipated  shock  or  vibration  forces  with- 
out requiring  isolation  or  insulation,  However, 


this  observation  can  be  misleading  since  the 
attitude  in  which  a part  is  mounted,  its  loca- 
tion relative  to  other  parts,  its  position  within 
the  system,  and  the  possibility  of  its  fasteners 
or  another  component  fasteners  coming  loose 
can  alter  significantly  the  imposed  forces. 
Another  component,  for  example,  could 
come  loose  and  strike  it  or  alter  the  forces 
acting  on  it  to  the  extent  that  failure  results- 

The  following  basic  considerations  must 
be  included  in  designing  for  shock  and  vibra- 
tion : 

(1)  The  location  of  the  component  rela- 
tive to  the  supporting  structure  (i.e.,  at  the 
edge,  corner,  car  center  of  the  supporting 
structure) 
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(2)  The  orientation  of  the  part  with 
respect  to  the  anticipated  direction  of  the 
shock  or  vibration  forces 

(3)  The  method  used  to  mount  the  part- 

2-3.3  MOISTURE  PROTECTION 

Moisture  is  a chemical  and,  considering 
its  abundance  and  availability  in  almost  all 
environments,  is  probably  the  most  important 
chemical  deteriorative  factor  of  all.  Moisture 
is  not  simply  H20,  but  usually  is  a solution  of 
many  impurities;  these  impurities  cause  many 
of  the  chemical  difficulties.  In  addition  to  its 
chemical  effects,  such  as  the  corrosion  a£ 
many  metals,  condensed  moisture  also  acts  as 
a physical  agent-  An  example  of  the  physical 
effects  of  moisture  is  the  damage  done  in  the 
locking  together  of  mating  parts  when  mois- 
ture condenses  on  them  and  then  freezes. 
Similarly,  many  materials  that  are  normally 
pliable  at  low  temperatures  will  become  hard 
and  perhaps  brittle  if  moisture  has  been 
absorbed  and  subsequently  freezes.  Con- 
densed moisture  acts  as  a medium  for  the 
interaction  between  many,  otherwise  relative- 
ly inert,  materials.  Most  gases  readily  dissolve 
in  moisture,  The  chlorine  released  by  PVC 
plastic,  for  example,  forms  hydrochloric  acid 
when  combined  with  moisture. 

Although  the  presence  of  moisture  may 
cause  deterioration,  the  absence  of  moisture 
also  may  cause  reliability  problems.  The  use- 
ful properties  cf  many  nonmetallic  materials, 
for  example,  depend  upon  an  optimum  level 
of  moisture.  Leather  and  paper  become  brittle 
and  crack  when  they  are  very  dry.  Similarly, 
fabrics  wear  out  at  an  increasing  rate  as  mois- 
ture levels  are  lowered  and  fibers  become  dry 
and  brittle.  Dusting  is  encountered  in  dry 
environments  and  can  cause  increased  wear, 
friction,  and  clogged  filters. 

Moisture,  in  conjunction  with  other 
environmental  factors,  creates  difficulties  that 
may  not  be  characteristic  cf  the  factors  acting 
alone.  For  example,  abrasive  dust  and  grit, 
which  would  otherwise  escape,  are  trapped  by 
moisture.  The  permeability  (to  water  vapor) 
of  some  plastics  (PVC,  polystyrene,  poly- 
ethylene, etc.)  is  related  directly  to  their 
temperature.  The  growth  of  fungus  is  en- 


hanced by  moisture,  as  is  the  galvanic  cor- 
rosion between  dissimilar  metals. 

Some  design  techniques  that  can  be  used 
singly  or  combined  to  counteract  the  effects 
of  moisture  are;  elimination  of  moisture 
traps  by  providing  drainage  or  air  circulation; 
using  desiccant  devices  to  remove  moisture 
when  air  circulation  or  drainage  is  not  pos- 
sible; applying  protective  coatings;  providing 
rounded  edges  to  allow  uniform  coating  of 
protective  materialT'using  materials  resistant 
to  moisture  effects,  fungus,  corrosion,  etc.; 
hermetically  sealing  components;  gaskets  and 
other  sealing  devices;  impregnating  or  encap- 
sulating materials  with  moisture  resistant 
waxes,  plastics,  or  varnishes;  and  separation  of 
dissimilar  metals,  or  materials  that  might  com- 
bine or  react  in  the  presence  of  moisture,  or 
of  components  that  might  damage  protective 
coatings.  The  designer  also  must  consider 
possible  adverse  effects  caused  by  specific 
methods  of  protection.  Hermetic  sealing,  gas- 
kets, protective  coatings,  etc.,  may,  for  exam- 
ple, aggravate  moisture  difficulties  by  sealing 
moisture  inside  or  contributing  to  condensa- 
tion. The  gasket  materials  must  be  evaluated 
carefully  for  out-gassing  of  corrosive  volatiles 
or  for  incompatibility  with  adjoining  surfaces 
or  protective  coatings. 


2-3.4  SAND  AND  DUST  PROTECTION 

In  addition  to  the  obvious  effect  of  re- 
duced visibility,  sand  and  dust  primarily 
degrade  equipment  by: 

(1)  Abrasion  leading  to  increased  wear 

(2)  Friction  causing  both  increased  wear 
and  heat 

(3)  Clogging  of  filters,  small  apertures, 
and  delicate  equipment. 

Thus,  equipment  having  moving  parts  requires 
particular  care  when  designing  for  sand  and 
dust  protection.  Sand  and  dust  will  abrade 
optical  surfaces,  either  by  impact  when  being 
carried  by  air,  or  by  physical  abrasion  when 
the  surfaces  are  improperly  wiped  during 
cleaning.  Dust  accumulations  have  an  affinity 
l'or  moisture  and,  when  combined,  may  lead 
to  corrosion  or  the  growth  of  fungus. 
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In  the  relatively  dry  regions,  such  as 
deserts,  fine  particles  of  dust  and  sand  readily 
are  agitated  into  suspension  in  the  air,  where 
they  may  persist  for  many  hours,  sometimes 
reaching  heights  of  several  thousand  feet. 
Thus,  even  though  there  is  virtually  n o wind 
present,  the  speeds  of  vehicles  or  vehicle- 
transpoTted  equipment  though  these  dust 
clouds  can  cause  surface  abrasion  by  impact, 
in  addition  to  the  other  adverse  effects  of  the 
sand  or  dust. 

Although  dust  commonly  is  considered 
to  be  fine,  dry  particles  of  earth,  it  also  may 
include  minute  particles  of  metals,  combus- 
tion products,  solid  chemical  contaminants, 
etc.  These  other  forms  may  provide  direct 
corrosion  or  fungicidal  effects  on  equipment, 
since  this  dust  may  be  alkaline,  acidic,  or 
microbiological. 

Since  most  equipment  requires  air  circu- 
lation for  cooling,  removing  moisture,  or 
simply  functioning,  the  question  is  not 
whether  to  allow  dust  to  enter,  but,  rather, 
how  much  or  what  size  dust  can  be  tolerated. 
The  problem  becomes  one  of  filtering  the  air 
to  remove  dust  particles  above  a specific 
nominal  size.  The  nature  of  filters,  however,  is 
such  that  for  a given  working  filter  area,  as 
the  ability  of  the  filter  to  stop  increasingly 
smaller  dust  particles  is  increased,  the  flow  of 
air  cr  other  fluid  through  the  filter  is  decreas- 
ed. Therefore,  the  filter  surface  area  either 
must  be  increased,  the  flow  of  fluid  through 
the  filter  decreased,  or  the  allowable  particle 
size  increased;  i.e.,  invariably,  there  must  be  a 
compromise.  Interestingly  enough,  a study  by 
R.  V.  Pavia  (Ref.  9)  showed  that,  for  aircraft 
engines,  the  amount  of  wear  was  proportional 
to  the  weight  of  ingested  dust,  but  that  the 
wear  produced  by  100-pm  dust  was  approxi- 
mately half  that  caused  by  15 -a  m dust.  The 
15-^m  dust  was  the  most  destructive  of  all 
sizes  tried. 

Sand  and  dust  protection,  therefore, 
must  be  planned  in  conjunction  with  protec- 
tive measures  against  other  environmental 
factors.  It  is  not  practical,  for  example,  to 
specify  a protective  coating  against  moisture 
if  sand  and  dust  will  be  present,  unless  the 
coating  is  carefully  chosen  to  resist  abrasion 
and  erosion  or  is  self-healing. 


2-3.5  EXPLOSION  PROOFING 

Protection  against  explosion  is  both  a 
safety  and  reliability  problem.  An  item  that 
randomly  exhibits  explosive  tendencies  is  one 
that  has  undesirable  design  characteristics  and 
spectacular  failure  modes.  This  type  of  func- 
tional termination,  therefore,  requires 
extreme  care  in  design  and  reliability  analyses. 

Explosion  protection  planning  must  be 
directed  to  three  categories  (not  necessarily 
mutually  exclusive)  of  equipment: 

(1)  Items  containing  materials  suscep- 
tible to  explosion 

(2)  Components  located  near  enough  to 
cause  the  explosive  items  to  explode 

(3)  Equipment  that  might  be  damaged 
or  rendered  temporarily  inoperative  by  over- 
pressure, flying  debris,  or  heat  from  an  ex- 
plosion. 

The  first  category  includes  devices  containing 
flammable  gases  or  liquids,  suspensions  of 
dust  in  the  air,  hypergolic  materials,  com- 
pounds which  spontaneously  decompose  in 
certain  environments,  equipment  containing 
or  subjected  to  high  or  low  extremes  of  pres- 
sure (includes  implosions),  or  any  other 
systems  capable  of  creating  an  explosive  reac- 
tion. The  second  category  is  fairly  obvious 
and  includes  many  variations  on  methods  for 
providing  an  energy  pulse,  a catalyst,  or  a 
specific  condition  that  might  trigger  an  explo- 
sion. A nonexplosive  component,  for 
example,  could  create  a corrosive  atmosphere, 
mechanical  puncture,  or  frictional  wear  on 
the  side  of  a vessel  containing  high-pressure 
air  and  thereby  cause  the  air  container  to 
explode.  The  third  category  encompasses 
practically  everything,  including  items  in  the 
first  two  categories,  since  a potentially  explo- 
sive device  (such  as  a high-pressure  air  tank) 
can  be  damaged  car  made  to  explode  by  the 
overpressure,  etc.  from  another  explosion. 
Thus,  some  reasoning  must  be  applied  when 
considering  devices  not  defined  by  the  first 
two  categories.  From  a practical  standpoint, 
explosion  protection  for  items  in  the  third 
category  ought  to  be  directed  to  equipment 
that  might  possibly  be  near  explosions.  The 
sides  af  a maintenance  van,  for  example,  will 
be  subjected  to  overpressures  from  exploding 
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enemy  artillery  rounds.  If  designed  for  protec- 
tion against  anything  but  a direct  hit.  the  van 
would  be  extremely  difficult  to  transport. 
Thus,  mobility  (and  size)  and  protections 
against  blast  are  traded  off.  On  the  other  end 
of  the  compromise  scale,  however,  is  the  bad 
effect,  on  the  reliability  of  internal  equipment 
when  explosion  protection  is  minimal  or  non- 
existent. 

The  possibility  of  an  explosive  atmos- 
phere leaking  or  circulating  into  other  equip- 
ment compartments  must  be  recognized. 
Lead-acid  batteries,  for  example,  create 
hydrogen  gas  that,  if  confined  or  leaked  into  a 
small  enclosure,  could  be  exploded  by  electri- 
cal arcing  from  motor  brushes,  by  sparks  frcm 
metallic  impacts,  or  by  exhaust  gases.  Explo- 
sive environments,  such  as  dust-laden  air, 
might  be  circulated  by  air  distribution 
systems. 

Explosion  protection  and  safety  are  very 
important  for  design  and  reliability  evalua- 
tions, and  must  be  closely  coordinated  and 
controlled.  Just  as  safe  equipment  is  not 
necessarily  reliable,  neither  is  reliable  equip- 
ment necessarily  safe;  but  the  two  can  be 
compatible,  and  often  are. 

2-3.6  ELECTROMAGNETIC-RADIATION 
PROTECTION 

The  electromagnetic  spectrum  is  divided 
conveniently  into  several  categories  ranging 
from  gamma  rays  at  the  short-wavelength  end 
through  X rays,  ultraviolet,  visible,  infrared, 
and  radio,  to  the  long-wavelength  radiation 
from  power  lines.  Solar  radiation  is  the  prin- 
cipal reliability  concern.  Damage  near  the 
surface  cf  the  earth  is  caused  by  the  electro- 
magnetic radiation  in  the  wavelength  range 
frcm  approximately  0.15  to  5pm.  This  range 
includes  the  longer  ultraviolet  rays,  visible 
light,  and  up  to  about  midpoint  in  the  infra- 
red band.  Visible  light  accounts  for  roughly 
one-third  of  the  solar  energy  falling  on  the 
earth,  with  the  rest  being  in  the  invisible  ultra- 
violet and  infrared  ranges.  The  solar  constant 
(the  quantity  of  radiant  solar  heat  received 
normally  at  the  outer  layer  of  the  atmosphere 
of  the  earth)  is,  very  roughly,  about  1 kilo- 
watt per  square  meter  or  1 horsepower  per 
square  yard.  In  some  parts  of  the  world. 


almost  this  much  can  fall  on  a horizontal  sur- 
face on  the  ground  a'  noon  (Ref.  10). 

Solar  radiation  principally  causes  physical 
or  chemical  deterioration  of  materials.  Exam- 
ples are  the  effects  due  to  increased  tempera- 
ture and  deterioration  of  natural  and  synthe- 
tic rubber.  As  defined  in  par.  2-2.1,  these  are 
mechanical  effects.  Radiation  also  can  cause 
functional  effects,  such  as  the  temporary  elec- 
trical breakdown  of  semiconductor  devices 
exposed  to  ionizing  radiation.  Considerations 
to  include  in  a radiation  protection  analysis 
are  the  type  of  irradiated  material  and  its 
characteristics  of  absorption  and  sensitivity  to 
specific  wavelengths  and  energy  levels, 
ambient  temperature,  and  proximity  of  reac- 
tive substances  such  as  moisture,  ozone,  and 
oxygen.  Some  specific  protection  techniques 
are  shielding,  exterior  surface  finishes  that 
will  absorb  less  heat  and  are  less  reactive  to 
radiation,  effects  of  deterioration,  minimizing 
exposure  time  to  radiation,  and  removing 
possibly  reactive  materials  by  circulation  of 
air  or  other  fluids  or  by  careful  location  c£ 
system  components-  More  extensive  informa- 
tion is  given  in  Ref.  3 0. 

2-4  OPERATIONS  RESEARCH  METHODS 

Par.  2-2  discussed  the  complexity  of 
describing  the  effects  cf  the  complete  envi- 
ronment. 

Operations  analysis,  the  system  concept 
of  input -transfonn-outpu  t,  provides  a power- 
ful tool  for  dealing  with  this  complex  situa- 
tion and  allows  relationships  between  several 
inputs,  between  inputs  and  outputs,  and 
between  the  transfonnation  function  and 
effectiveness  of  output. 

Problem  solving  is  always  helped  by  dia- 
gramming the  conditions.  Fig.  2-5  provides  a 
picture  of  the  overall  environmental  situation. 
A climate  consists  of  an  envelope  of  natural 
environmental  factors  cf  natural  ambient  con- 
ditions. A generic  classification  of  the  envi- 
ronmental factors  contains  temperature, 
humidity,  radiation,  precipitation,  contamina- 
tion. and  wind. 

A systematic  procedure  is  also  valuable 
for  handling  technical  review  and  technical 
review  reporting  and  evaluation,  and  is  partic- 
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FIGURE  2-5.  Environmental  Sitwtion  Diagram2 


ularly  applicable  to  PERT  methodology. 
Accordingly,  the  algorithm  in  Fig.  2-6  was 
designed  to  encompass  the  performance  of 
each  task  and  of  the  total  program.  Thus,  per- 
formance at  both  levels  will  have  several 
points  of  contact  and  will  overlap. 

The  matrix  in  Fig.  ?- 7 shows  these  inter- 
woven and  interrelated  points  of  contact, 
ffesks  are  grouped  as  follows:  the  left  column 
contains  environments  consisting  of  all  rele- 
vant environmental  factors;  the  columns  to 
the  right  are  either  factors  of  a subset  of  one 
or  more  environments,  or  are  operations  on 


the  set  and  subset.  Performance  procedures 
are  located  in  the  horizontal  rows. 

By  using  the  concept  in  Fig.  2-7,  the 
progress  and  status  of  performance  can  be 
recorded,  reported  upon,  and  evaluated  for 
each  block  and  each  row.  Interrelationships 
are  included  in  the  blocks,  and  modes  provid- 
ed by  the  rows.  Thus,  blocks  and  rows  repre- 
sent checkpoints,  and  the  figure  becomes 
heuristic  and  modus  operandi  for  both  man- 
agement and  technical  performance.  More 
details  of  these  methods  can  be  found  in  Refs. 
2 and  6. 
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Problem  statement  consists  oftho  input  of  the  in- 
put-transformatput  system  process,  and  cover* 
objective*  a d relevenc*  of  particular  task.  It 
must  be  firmly  astablhhad  that  there  •*  s problem, 
that  it  a uniqut,  and  that  it  exist*  a*  affirmed  by 
its  various  elements. 


Factor*  of  the  "reaF'environment  are  established, 
the  realenvironmeni  consisting  of  those  elements 
and/or  interrelationships  of  element*  known 8nd 
established  to  have  effectson  equipment  perfor- 
mance. E ft  act  implies  both  degradation  and  im 
prove  merit. 


1 

Represent*  model  building  point,  describing  situa- 
tion in  only  essential  features  in  order  to  pre- 
clude obscuring  the  problem.  Mathematical  de- 
scription employ*  set  terminology  establishing 
that  the  eat  S 1 environment)  consists  of  a body 
of  properties  dividing  S_into  subsets,  end  having 
a measure  function  for  any  such  set  and  a prob- 
ability density  function. 

RESTATE  PROBLEM 
INTERMS  OF 
” REAL”  ENVIRONMENT 

TRANSPOSE  CRITERIA 
INTO  FEATURES, 

SPECIFICATIONS 
* AND  STANDARDS 

Postulation  point*  at  which  hypotheses  are  estab- 
lished end  method  designated;  questions  can  be 
answered  in  conformance  with  situation  model. 
Task  performance  relative  to  a set  or  an  element 
must  have  points  cf  overlap  and  cf  interralat ion- 
ship.  Scientific  infarance  and  design  of  experi- 
ments established  for  requirements. 


Acquire  data  from  several  sources,  eqj.,  macro- 

meteorological  andmicrometeorological  natural 
arrvironment  information  (publishad  natural 
anvironmant  data).  Informationgaps  mustbo 
filled  by  field  and  laboratory  measurements  «. 
tabiishing  data relativa  to  natural  characteristics 
and  effects. 


Analyze  data  to  yiafd  snvironmental  anva^^^zr 
aech  situation  m probability  density  format  •»- 
pressed  as  rrvean/msdis.  peek  values,  and 
of  expectation.  If  empirical  relationship*  are  indi- 
cated. develop  curves  with  deterministic  properties. 
Tat  criteria  and  simulation  methods. 


Put  criteria  into  useful  form  adaptable  to  catalog- 
ing and  eh  ■emanation  in  an  information  system. 
Transposed  criteria  must  be  completely  suitable 
a*  technical  and  operational  bases  for  decision* 
enWing  Mfcety  occurrence,  margin  for  error,  and 
rub  of  failure;  end  must  be  suitabto  for  computer- 
ization. 


FIGURE  2-6.  Algorithm  for  Program  Performance 6 
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FIGURE  2-7.  Matrix  of  Interrelationships  of  Tasks" 
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CHAPTER  3 MEASURES  OF  RELIABILITY 


3-0  LIST  OF  SYMBOLS 


Cdf 

MTBF 

MTTF 

pdf 

Sf 

t 


Cumulative  distribution  function 
mean  time  between  failures 
mean  time  to  failure 
probability  density  function 
Survivor  function,  Sf  = 1 — Cdf 
time  to  failure  (for  nonrepairable 
items)  time  between  failures  (for 
repairable  items) 


3 1 INTRODUCTION 


Engineers  face  tremendous  difficulties  in 
attempting  to  measure  reliability,  maintain- 
ability, safety,  or  other  product  character- 
istics precisely  with  a single  number.  The 
reason  for  the  difficulty  is  that  products  are 
usually  complex,  are  made  up  of  many  differ- 
ent parts,  serve  many  different  uses,  and 
operate  under  many  different  conditions.  The 
question  “how  good  is  a jeep?”  might  well 
take  50  pages  of  explanation  and  great  detail 
to  arrive  at  a plethora  of  answers.  How  then  is 
it  possible  to  measure  the  reliability  of  a jeep 
with  a single  number? 

By  using  a single  number  to  measure  reli- 
ability, some  information  is  lost,  But  the  con- 
venience of  one  number — or  perhaps  a few 
numbers-makes  up  for  the  lost  information. 
All  the  measures  given  in  this  chapter  are 
related  to  probabilities.  The  methods  for 
calculating  (predicting)  reliability  are  given  in 
Part  Three,  Reliability  Prediction.  A discus- 
sion of  many  concepts  in  probability  and 
statistics  together  with  information  about 
specific  probability  distributions  are  given  in 
Part  Six,  Mathematical  Appendix  and  Glos- 
sary. Techniques  involved  in  estimating  and 
measuring  reliability  by  means  of  test  results 
on  existing  items  are  given  in  Part  Four,  Reli- 
ability Measurement, 

The  process  cf  designing,  creating,  and 
producing  reliable  hardware  is  an  engineering 
one,  not  a statistical  one.  But  the  measures  of 
reliability  are  statistical;  so  the  engineer  does 
need  to  be  familiar  with  probability  and 
statistics. 

Reliability  is  a measure  of  the  ability  of 
an  item  to  complete  its  mission  successfully. 


given  that  the  item  was  in  proper  condition 
(available)  at  the  mission  beginning.  Some- 
times, quantitative  reliability  measures  are 
assigned  as  a goal  in  'the  conceptual  stage, 
before  any  design  or  hardware  has  been  fabri- 
cated. In  this  case,  the  system  must  be  design- 
ed and  the  subsystems  and  parts  selected  to 
preserve  the  desired  reliability.  At  each 
decision  point  in  the  concept,  design,  or  fabri- 
cation phase,  the  system  reliability  must  be 
predicted.  In  these  cases,  the  predicted  reli- 
ability is  compared  with  the  required  reliabil- 
ity, and  such  changes  and  trade-offs  made  as 
are  necessary.  This  reliability  constraint 
imposed  upon  designers  and  developers  of 
equipment  is  not  different  in  spirit  from  the 
cost  constraints  imposed  on  an  architect.  He 
wishes  to  create  as  distinguished  a building  as 
possible  within  the  limits  of  his  allowed  costs. 
Nor  is  it  different  in  spirit  from  the  weight 
constraints  imposed  on  an  aircraft  designer 
who  must  consider  engine,  equipment,  and 
fuel  requirements  against  the  weight  of  the 
payload.  The  difference  with  the  constraint 
on  reliability  is  that  it  has  been  more  recently 
recognized.  Reliability,  like  cost  and  weight, 
must  be  specified  in  advance;  the  quantitative 
measures  of  reliability  make  it  possible  to  do 
this. 

Of  the  several  measures  of  reliability,  it 
is  a matter  of  engineering  judgment  to  decide 
which  to  use.  ffeny  ties  it  will  make  little 
difference,  but  sometimes  it  will.  A supplier, 
once  given  the  measure  as  a specification, 
might  well  try  to  maximize  his  gains  by 
changing  anything  but  the  specified  measure. 
See  Par/  Five,  Cantxacting for  Reliability . 

3-2  PROBABILITIES  OF  SUCCESS  AND 
FAILURE 

The  traditional  narrow  definition  of  reli-t 
ability  as  a probability  of  success  is  repeated  ■ 
here  from  par.  1-1: 

“s-Reliability  is  the  prrhabi  1 i ty  that 
an  item  valL  perform  its  intended 
function  for  a specific  interval  under 
stated  conditions.” 

This  definition  has  two  major  shortcomings: 

3-1 


AMCP  706-196 


(1) It  does  not  cover  one-shot  items  like 
ammunition. 

(2)  It  does  not  explicitly  consider  the 
condition  of  the  item  at  the  beginning  of  the 
mission,  whereas  virtually  all  calculations  and 
predictions  of  s-reliability  do  consider  it. 

Most  of  the  theoretical  analyses  of  reliability 
which  appear  in  the  literature  and  those  in 
Part  Three , Reliability  Prediction  use  the  fol- 
lowing definition  which  alleviates  those  two 
shortcomings: 

“s-Reliability  is  the  probability  that 
an  item  successfully  completes  its  mis- 
sion, given  that  the  item  'was  in  proper 
condition  at  the  beginning  of  the 
mission.” 

In  a practical  situation,  the  four  elements 
of  the  definition  must  be  carefully  explained, 
defined,  and  delineated. 

(1)  The  item 

(2)  The  mission  (especially  any  limita- 
tions on  repair  during  the  mission) 

(3)  Successful  completion 

(4)  Proper  condition  (especially  the 
manner  in  which  it  is  assured). 

For  a theoretical  analysis  one  usually  specifies 
the  repair  philosophy  for  the  components 
during  the  mission,  and  in  what  conditions 
the  components  may  appear  during  the 
mission.  Proper- condition  almost  always  is 
assumed  to  be  “every  component  is  good”, 
not  merely  that  the  item  is  functioning. 

One-shot  items  are  covered  in  par.  3-7. 

The  probability  cf  failure  often  is  calcu- 
lated, rather  than  probability  of  success, 
because  of  the  significant-figure  difficulty 
with  probabilities  near  1 and  because  of  the 
easy  approximations  for  small  probabilities. 
Failure  and  success  are  complementary 
events;  the  sum  of  their  probabilities  is  1. 

3-3  FAILURE  DISTRIBUTIONS 

A failure  distribution  gives  all  the  infor- 
mation about  times  to  failure,  not  just  a single 
number.  (This  paragraph  is  written  as  if  the 
variable  of  interest  is  failure-time,  but  the 
variable  could  easily  be  strength,  damage. 


etc.)  In  the  usual  application  of  failure  distri- 
butions it  is  presumed  that  no  failure/repair 
pairs  are  allowed,  although  preventive  mainte- 
nance is  considered  occasionally.  The  statisti- 
cal concepts  of  failure  distributions  are 
explained  in  Part  Six,  Mathematical  Appendix 
and  Glossary,  The  probability  density  func- 
tion {pdf ) is  the  description  of  a distribution 
most  often  used  in  discussioas.  It  historically 
has  been  used,  it  has  mathematical  conveni- 
ence, and  its  shape  is  usually  quite  character- 
istic of  the  distribution  (whereas  all  cumula- 
tive distribution  functions  tend  to  look  alike). 
It  will  be  used  in  this  paragraph.  The  uses  of 
failure  distributions  are  classified  conven- 
iently into  interpolation,  extrapolation,  and 
calculations  of  moments  and  percentiles. 

Interpolation  (usually  a smoothing  type) 
means  calculating  a value  of  the  pdf  for  a fail- 
ure time  that  is  within  the  region  where  data 
are  available,  but  for  which  there  was  no  test 
result  or  for  which  some  smoothing  cf  data 
was  needed.  The  choice  of  failure  distribution 
is  not  critical  in  interpolation.  Many  distribu- 
tions will  give  equally  good  results,  especially 
when  goodness  is  evaluated  with  respect  to 
the  usual  tremendous  uncertainty  in  the  data 

Extrapolation  means  calculating  a value 
of  thepdf  for  a failure  time  that  is  outside  the 
region  where  data  are  available.  This  is  the 
most  popular  and  the  most  misleading  use  of 
distributions.  It  is  misleading  because  the  user 
forgets  that  he  doesn’t  know  the  behavior  in 
this  region;  he  then  confuses  ‘’numerical  pre- 
cision in  calculation”  with  “accuracy  of  de- 
scribing the  real  behavior”.  One  method  cf 
avoiding  this  trap  is  to  use  two  regions  of  fail- 
ure time:  internal  and  external.  The  internal 
region  is  essentially  the  one  where  interpola- 
tion, or  very  mild  extrapolation,  is  possible. 
The  external  region  is  the  one  where  gross 
extrapolation  would  have  to  be  used.  Very 
often  it  will  be  in  two  parts,  one  on  either 
side  of  the  internal  region.  One  then  estimates 
the  fraction  of  the  population  which  liaswith- 
in  these  two  subregions.  In  any  subsequent 
calculation,  a further  assumption  might  have 
to  be  made  about  where  in  the  subregionthe 
values  might  be;  but  then  the  user  is  on  guard 
that  he  is  guessing  and  that  he  should  see 
what  happens  for  several  different  guesses, 
There  is  absolutely  no  law  of  nature  that  says 
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pdf's  must  be  smooth  tractable  curves.  The 
use  of  the  external  region  is  illustrated  in 
Chapter  10,  “Parameter  Variation  Analysis”. 

Calculation  of  moments  and  percentiles  is 
done  conveniently  from  the  distributions 
using  existing  formulas  arid  tables.  But  it  is 
not  necessary  that  the  distribution  be  known 
before  moments  and  percentiles  can  be 
estimated.  Moments  can  be  directly  estimated 
from  the  data— indeed,  equating  sample 
moments  to  population  moments  is  a well- 
known  technique  for  parameter  estimation. 
The  usual  moments  are  the  mean  and  vari- 
ance. Percentiles  can  be  estimated  directly 
from  the  data  only  in  the  interior  region.  If 
percentiles  must  be  calculated  in  the  exterior 
region,  then  guesses  (possibly  implicit)  must 
be  made  about  the  failure-time  behavior  in 
that  region. 

Four  of  the  common  distributions  and 
their  traditional  applications  are  given  in 


Table  3-1.  The  table  illustrates  tradition  mo  e 
than  it  describes  the  real  world. 

3-4  FAILURE  RATE 

The  term  “failure  rate”  is  defined  several 
ways  in  the  literature.  But  its  use  in  the  fol- 
lowing way  is  so  entrenched  that  it  is  not 
feasible  to  use  another  term.  Other  names  for 
failure  rate  are  conditional  failure  rate,  instan- 
taneous failure  rate,  b«zard  rate,  and  force  of 
mortality. 

“Failure  rate  (for  continuous  variables)  is  the 
ratio  of  the  probability  density  function  to 
the  survivor  function.” 

The  probability  density  function  (pdf)  and 
survivor  function  (Sf)  are  discussed  in  Part 
Six,  Mathematical  Appendix  and  Glossary. 
The  survivor  function  is  sometimes  called  the 
reliability  function;  Sf  = 1 — Ccffwhere  Cdf  is 


TABLE  3-1 

GENERAL  APPLICATION  OF  COMMON  DISTRIBUTIONS 


Distribution 


Typical  Applications 


Comments 


Exponential  Large,  often-repaired  systems.  Failuredueto  Often  used  where  insufficient  data  exist 

occasional,unpredictable  environmental  ex-  to  show  the  form  of  the  distribution, 

tremes. 


Weibull  Mechanical  and  electronic  components. 

Fatigue  life. 

Antifriction-baring  life. 


Often  used  in  any  situation  where  the 
data  do  not  rule  it  out.  Itis  mathema- 
tically tractable. 


Lognormal  Time  to  repair. 

Life  of  semiconductors. 
Fatigue  life. 

Antifriction-Bearing  life. 


Often  usedwhere  the  logtransform  is 
easy  for  the  data.  Very  similar  shape, 
in  its  central  region,  to  the  Weibull. 


s-Normal  Life,  where  limited  by  physical  wear. 

(Gaussian)  Wearout  life. 

Describe  relatively  small  variability  inany 
characteristic  of  anything. 


Often  usedwhere  insufficient  data 
exist  to  show  the  exact  form  of  the 
distribution,  butwhen  the  exponential 
isclearly  notapplicable 
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the  cumulative  distribution  function  (for  con- 
tinuous variables).  A longer  way  of  saying  it 
is -Failure  rate  is  the  rate  of  failure,  at  a time 
instant,  given  that  the  item  was  not  failed  at 
the  beginning  of  that  instant. 

The  formula  for  failure  rate  is 

failure  rate  = — (3-1) 

The  difference  between  failure  rate  and 
the  probability  density  function  is  that  the 
pdf  is  a prediction  made  at  time  = 0 about  the 
future;  whereas  the  failure  rate  is  a prediction 
about  only  the  next  instant.  Both  have  the 
same  units:  reciprocal  time. 

Occasionally  someone  in  the  literature 
distinguishes  between  the  failure  of  nonrepair- 
able  items  and  the  failure  rate  of  repairable 
items.  This  is  a worthwhile  endeavor,  but  the 
distinction,  for  simple  systems,  is  not  likely  to 
find  its  way  into  the  literature.  If  the  system 
is  not  simple  and  if  the  repair  strategy  is  com- 
plicated—i.e.,  if  there  are  many  conditions 
(states)  of  the  system  that  must  be  distin- 
guished-then failure  rate  is  an  ambiguous  ill- 
defined  term.  Instead,  transition  rates 
between  conditions  are  given  for  all  possible 
transitions. 

The  reasons  that  failure  rate  is  so  popular 
a measure  of  reliability,  as  opposed  to  the 
pdf,  are: 

(1)  Often  one  really  is  not  interested  in 
making  predictions  far  into  the  future  (“If  it 
is  operating  now,  vail  it  still  be  operating  a 
long  time  from  now?”);  rather  one  wishes  to 
know  only  about  the  future  itself  (“For  those 
which  are  still  operating  then,  how  likely  are 
they  to  fail?”), 

(2)  The  assumption  of  constant  failure 
rate  is  made  so  often,  sometimes  implicitly, 
that  it  is  a common  figure  of  merit  for  a com- 
ponent or  system. 

Whenever  no  time  dependence  is  given  for  a 
failure  rate,  usually  the  failure  rate  is  presum- 
edtobeconstant. 

Table  3-2  shows  the  failure  rate  charac- 
teristic for  the  four  common  distributions. 
The  implications  of  failure  rate  behavior  are: 


TABLE  3-2 

BEHAVIOR  OF  THE  FAILURE  RATE 


Distribution 


Failure-Rate  Behavior 


Exponential 


Constant 


Vteibull 


Monotonic.  The  direction 
depends  on  the  shape  para- 
meter; can  be  always  in- 
creasing (without  bound), 
always  decreasing  (to  zero 
“at  infinity”),  or  constant. 
(See  Part  Six) 


Lognormal 


Increases  to  a maximum, 
then  decreases  to  zero 
“at  infinity" 


s-Normal  (Gaussian)  Always  increases  (without 
bound) 


(1)  Constant  failure  rate.  An  item  cf  any 
age  statistically  has  as  long  a life  left  as  one  of 
any  other  age.  One  should  not  replace  good 
items  when  their  hazard  rate  is  emstant. . 

(2)  Increasing  failure  rate.  Older  items 
statistically  have  shorter  lives  left  than  newer 
items,  Replacing  old  nonfailed  items  can  be  a 
good  idea. 

(3)  Decreasing  failure  rate.  Older  items 
statistically  have  longer  lives  left  than  newer 
items.  This  is  a case  where  the  “bad  die 
young”, 

These  behaviors  are  statistical  and  mean  only 
what  they  say-nothing  more,  An  individual 
item  with  a decreasing  failure  rate  might  be 
wearing  out,  but  could  still  live  long  because 
its  initial  strength  was  extremely  high. 

When  tlie  failure  rate  is  increasing  with- 
out bound  (-+—),  it  is  sometimes  said  to  be  in 
a wearout  phase.  Distributions  with  this  prop 
erty  are  then  said  to  be  wearout  distributions. 
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The  s-normal  (Gaussian)  and  some  Weibull 
distributions  are  wearout  distributions.  The 
exponential  and  lognormal  distributions  are 
not. 

The  parameter  of  a Poisson  process  is  also 
a failure  rate.  See  Refs,  1 or  2 for  more  de- 
tails. 


The  failure  rate  of  a system  is  often  fairly 
high  at  the  beginning  when  it  is  put  into  com- 
mission. This  is  largely  due  to  human  frailty 
in  one  form  or  another.  Then,  once  the  severe 
weaknesses  have  been  removed  (possibly  even 
by  redesign)  the  failure  rate  often  settles 
down  to  a reasonably  constant  value 
(fluctuates  within  a factor  of  2 or  so).  Some 
systems , if  they  are  used  long  enough,  have  a 
rise  in  failure  rate  because  many  of  the  com- 
ponents seem  to  near  the  end  of  their  useful 
lives.  If  this  failure  rate  behavior  is  plotted  as 
a function  of  time,  it  has  the  so-called  bath- 
tub shape.  Many  electronic  systems  become 
obsolete  before  their  failure  rate  rises  appreci- 
ably. Some  systems  are  debugged  thoroughly 
before  being  delivered.  The  bathtub  curve  is 
neither  inevitable  nor  always  desirable.  It  is 
better  to  avoid  the  tenn  and  separately  dis- 
cuss variations  in  failure  rate  if  they  will  be 
important. 

3-5  TIME-TO-FAILURE 


This  concept  applies  to  nonrepairable 
items.  It  is  sometimes  called  time-to-first- 
failme,  but  that  concept  usually  is  confusing 
since  further  failures  are  implied,  but  yet 
time-between-failures  is  obviously  not  meant. 
(One  can,  of  course,  calculate  and  use  any 
figure  he  chooses,  provided  both  he  and  the 
intended  reader  understand  it.)  In  this  para- 
graph, each  item  fails  but  once  and  so  “fail- 
ure” is  “first  failure”.  If  the  item  is  repaired 
and  returned  to  a like-new  condition,  then  it 
is  considered  a different,  new  item. 

Not  all  failure-time  distributions  have  a 
mean  (i.e.,  the  mean  is  “infinite”),  but  the 
usual  ones  do.  The  mean  time-to-failure 

MTTF  is 


MTTF 


t pdf{t  \ dt  = 


Sf{t}dt 

(3-2) 


if  the  MTTF  exists;  where 

t = time  to  failure 

pdf  = probability  density  function 
Sf  = surv  ivor  function 

The  MTTF  is  used  because  it  is  tractable 
and  traditional.  In  some  instances,  the  exist- 
ence of  many  long-lived  items  inflates  the 
MTTF  so  that  it  is  not  characteristic  of  lives 
actually  observed  in  the  field.  Very  often  a 
median  time-to-failure  is  more  characteristic 
of  the  lives  that  will  be  observed  in  the  field. 
For  short  times,  failure  rate  is  often  a better, 
more  useful  reliability  measure  than  MTTF; 
the  early  failures  will  hurt  the  system— no  one 
cares  about  the  exact  life  of  the  very  long- 
lived  systems. 

The  means  and  medians  of  the  common 
distributions  are  given  in  Part  Six,  Mathemati- 
cs] Appendix  and  Glossary. 

3-6  TIME  BETWEEN  FAILURES 

This  concept  applies  to  repairable  items. 
In  any  repair  situation  one  must  know  the 
presumed  condition  of  the  item  after  repair  in 
order  to  make  calculations.  There  are  two 
conventional  tractable  assumptions: 

(1) A  repaired  item  is  “good  as  new”. 
This  means  that,  statistically,  the  repaired 
item  is  just  like  anew  one. 

(2)  A repaired  item  is  “bad  as  old”.  This 
means  that,  statistically,  the  repaired  item  is 
just  as  bad  as  it  vhs  before  failure.  An 
example  is  a jeep,  just  after  a failed  set  of 
distributor  points  has  been  replaced;  the  over- 
all condition  of  the  jeep  has  not  been  signifi- 
cantly altered  by  the  repair. 

If  the  failure  rate  is  constant,  then  the  two 
assumptions  are  equivalent,  since  age  is  irrele- 
vant in  predicting  future  life. 

When  the  repaired  item  is  “good  as  new”,1 
the  time-between-failures  is  the  same  as  time-  , 
to-failure.  If  not,  then  the  repair  philosophy 
must  be  explicitly  enumerated. 

The  mean  time-between-failures  (MTBF) 
appears  often  in  the  reliability  literature;  it  is 
defined  just  as  in  Eq.  3-2.  Unfortunately,  the 
repair  situation  is  rarely  explained.  In  some 
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cases,  the  author  may  have  been  confused 
and,  if  it  is  a theory  paper,  the  author  may 
not  even  realize  what  his  implicit  assumptions 
are.  Virtually  always  when  MTBF  is  given  a 
specific  value  (e.g.,  MTBF  = 100  hr),  the  fail- 
ure rate  of  the  item  is  presumed  constant  (or 
reasonably  so) . When  failure  rate  is  constant, 
the  MTBF  is  just  the  reciprocal  of  the  failure 
rate. 

For  large  complex  repairable  systems 
where  no  few  components  are  responsible  for 
many  of  the  failures,  and  where  the  system 
has  had  many  failures  already,  the  failure  rate 
is  reasonably  constant  and  MTBF  is  a reason- 
able concept. 

Theoreticians  have  to  be  more  wary  of 
this  concept  than  do  engineers. 

3-7  FRACTION  DEFECTIVE 

For  one-shot  items,  such  as  ammunition, 
the  time  concept  in  reliability  is  not  appropri- 
ate. They  either  function,  or  they  fail  in  some 
way.  So  the  fraction  defective  (or  fraction 
good)  is  a useful  concept.  One  often  wishes  to 
classify  failures  into  several  categories.  For 
ammunition,  twocommon  categories  are  duds 
and  prematures;  generally,  the  fraction  of  pre- 
matures should  be  much  less  than  the  fraction 
of  duds. 


Another  case  where  fraction  defective  ib 
appropriate  is  where  a distribution  ofstrength 
of  an  item  is  reasonably  known  between  some 
limits;  e.g.,  the  strength  has  an  s-normal  dis- 
tribution with  mean  10,000  16  and  standard 
deviation  of  1000  lb,  in  the  range  7000  to 
13000  lb.  On  the  weak  side,  the  actual 
strength  is  not  known,  the  items  are  just  con- 
sidered defective  and  the  fraction  defective  is 
estimated,  say  0.5%.  One  rarely  will  care  if  a 
small  fraction  has  strengths  above  13000  !b 
because  they  will  not  affect  appreciably  the 
reliability . 

Another  use  for  fraction  defective  is 
where  one  doesn't  care  how  good  an  item  is, 
or  how  long  it  lasts,  just  as  long  as  it  is  good 
enough.  Then  those  which  are  good  enough 
constitute  the  fraction  good;  the  others  are 
the  fraction  defective. 
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CHAPTER  4 MODEL  BUILDING  AND  ANALYSIS 


4-0  LIST  OF  SYMBOLS 

Cdf  = Cumulative  distribution  function 

f(t)  = pdf  { t } 
f(x)  = pdf{x) 

F(x)  = Cdf{x  i 
g(y)  = pdf{y } 

G(y)  = Cdf{y\ 

pdf  = probability  density  function 
R(t)  = Sf{t} 

Sf  = Survivor  function,  Sf  = 1 — Cdf 
t = a rando  m variable,  time 
x = any  random  variable 
y = F(x) 

a = scale  parameter,  see  Table  4-1 
P = shape  parameter,  see  Table  4-1 
X = a failure  rate 


4-1  INTRODUCTION 

No  one  can  analyze  the  real  world  situa- 
tion or  the  real  hardware;  he  can  only  analyze 
his  mental  picture  of  the  situation  or  hard- 
ware. This  mental  picture  is  called  a concep- 
tual model  (often  shortened  just  to  “model"). 

The  idea  of  a conceptual  model  is  adap- 
ted from  the  idea  of  a physical  model  such  as 
a model  car.  In  a physical  model,  the  charact- 
eristics of  importance  are  reproduced  quite 
well.  In  a model  car  these  might  be  propor- 
tions, shape,  and  color.  The  characteristics  of 
little  or  no  importance  are  not  usually  repro- 
duced at  all;  e.g.,  there  may  be  no  motive 
power  and  the  tires  may  not  be  pneumatic. 
The  “inbetweens”  receive  indifferent  treat- 
ment. The  physical  model  is  an  abstracting  of 
something  important  from  the  physical  world; 
it  is  an  imitation. 

A conceptual  model  is  analogous  to  a 
physical  model.  Since  everything  in  the 
universe  affects  everything  else  to  some 
degree,  however  slightly,  any  exact  treatment 
would  be  hopelessly  complicated.  Therefore 
the  engineer  decides  how  he  will  look  at  the 
situation  and  makes  a set  of  assumptions 
(both  explicit  and  implicit)  about  what  he 
will  ignore  and  what  he  will  include  in  the 
conceptual  model.  By  its  very  nature,  a con- 


ceptual model  is  incomplete:  it  ignores  some 
things  and  describes  others  in  an  approximate 
fashion. 

After  having  made, a set  a£  assumptions 
for  a conceptual  model,  the  engineer  then 
operates  on  those  assumptions  with  mathe- 
matics and  logic;  he  analyzes  them  by  any 
means  at  his  disposal.  While  developing  the 
logical  implications  ef  a set  of  assumptions, 
he  often  doesn't  like  the  results:  they  don't 
seem  to  fit;  they  appear  to  be  inconsistent 
with  his  beliefs,  etc.  Then  he  has  two  rational 
choices ; 

(1)  Change  his  beliefs  about  the  way  the 
world  is,  if  he  is  convinced  that  the  set  of 
assumptions  is  very  realistic;  and/or 

(2)  Go  back  and  modify  the  assump- 
tions, so  that  their  logical  implications  do  in 
fact  fit  his  beliefs  about  the  world. 

The  creation  of  a conceptual  model  is  a cir- 
cular, often  haphazard,  process  wherein  ideas 
come  from  everywhere  and  get  analyzed, 
tested,  compared,  junked,  and  accepted. 

A conceptual  model  is  often  mathemati- 
cal in  nature  and  the  same  formalism  will 
describe  several  different  situations.  It  is 
important  to  keep  the  distinction  between  the 
mathematics  itself  (which  is  quite  general, 
completely  impersonal,  and  always  “true”) 
and  what  it  represents  in  an  engineering  sense. 

All  reliability  analyses  and  optimizations 
are  made  on  conceptual  models  of  equipment, 
not  on  the  equipment  itself.  The  engineer  for- 
gets this  at  the  peril  of  the  person  in  the  field 
who  uses,  not  the  engineer's  conceptual 
model,  but  the  real  hardware. 

This  chapter  describes  the  procedure  used 
to  create  mathematical  models  of  systems. 
The  models  can  then  be  analyzed  by  the 
methods  in  Part  Three.  Reliability  Prediction. 

For  systems  with  (a)repair.  and  (b)rnany 
elements  that  are  treated  separately,  a more 
complicated  description  is  needed  than  for 
simple  nonrepairable  systems.  The  possible 
states  (conditions)  of  each  element  are  defin- 
ed. and  the  state  (condition)  of  the  system  is 
the  set  of  states  of  the  elements.  This 
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approach  is  sometimes  called  the  state-matrix 
approach  because  the  state  of  the  system  is 
described,  not  by  a single  number,  but  by  a 
matrix  of  numbers.  The  approach  is  discussed 
more  fully  in  par.  4-2. 

Some  terms  that  will  be  used  are  defined: 

(1)  Element.  An  element  of  a system  is 
an  item  whose  failure  and  repair  character- 
istics are  considered  as  a unit  and  not  as  a 
collection  of  items. 

(2)  Up.  An  item  is  up  if  it  is  capable  of 
performing  its  function;  i.e.,  it  is  available. 
There  might  be  various  degrees  of  being  up, 
each  with  different  failure  behavior. 

(3)  Down,  An  item  is  down  if  it  is  not 
up. 

(4)  On.  An  item  is  on  if  it  is  both  up  and 
operating. 

(5)  Idle.  An  item  is  idle  if  it  is  up  and 
not  operating;  i.e.,  it  is  being  held  in  standby. 

(6)  State.  The  state  of  an  item  is  a state- 
ment of  its  condition,  as  measured  by  its  char- 
acteristics which  are  considered  important. 
The  states  are  often  given  names  such  as  Up, 
In  Repair,  Degraded,  Standby,  or  Failed. 

‘(7)  State-matrix.  The  state-matrix  of  an 
item  is  the  matrix  of  the  states  of  the  ele- 
ments of  the  item. 

(8)  Series.  Elements  of  a subsystem  are 
in  series  if  they  sill  must  be  up  for  the  sub- 
system to  be  up, 

4-2  MODEL  BUILDING 

To  compute  the  reliability  and  maintain- 
ability measures  of  a system,  there  must  be  a 
mathematical  model  of  the  system.  The 
appropriate  mathematical  model  is  a reli- 
ability model  which  consists  c£  a reliability 
block  diagram  or  a Cause-Consequence  chart; 
all  equipment  failure  time  and  repair  tie  dis- 
tributions; a definition  c£  the  states  of  each 
element  and  of  the  item;  and  a statement  of 
maintenance,  spares,  and  repair  strategies, 

A reliability,  block  diagram  is  obtained 
from  a careful  analysis  of  the  manner  in 
which  the  system  operates — i.e.,  the  effects  of 
failures  on  overall  system  performance  cf  the 
various  parts  that  make  up  the  system;  the 
support  environment  and  constraints  includ- 
ing such  factors  as  the  number  and  assignment 


cf  spare  parts  and  repairmen;  and  finally,  a 
consideration  of  the  mission  to  be  performed 
by  the  system.  Careful  consideration  of  these 
aspects  yields  a set  of  rules  (which  will  be 
referred  to  as  up-state  rules)  which  define 
satisfactory  operation  of  the  system  (system 
up)  and  unsatisfactory  operation  (system 
down),  as  well  as  the  various  ways  in  which 
these  can  be  achieved.  If  a system  operates  in 
more  than  one  mode,  a separate  reliability 
diagram  must  be  developed  for  each. 

For  complicated  systems,  a Cause- 
Consequence  chart  might  be  more  appropriate 
than  a reliability  diagram.  See  Chapter  7 for  a 
discussion  cf  Cause-Consequence  charts  and 
fault  trees.  Regardless  of  which  is  used,  the 
model  building  is  similar.  This  chapter  uses 
reliability  diagrams  because  the  discussion  is 
simpler  that  way. 

A considerable  amount  of  engineering 
analysis  must  be  performed  in  order  to 
develop  a reliability  model.  The  engineering 
analysis  proceeds  as  follows: 

(1) The  engineer  develops  a functional 
block  diagram  of  the  system  based  on  his 
knowledge  of  the  physical  principles  govern- 
ing system  operation. 

(2)  The  engineer  uses  the  results  of  per- 
formance evaluation  studies  to  determine  to 
what  extent  the  system  can  cperate  in  a 
degraded  state.  This  information  can  be  pro- 
vided by  outside  sources. 

(3)  ESsed  on  the  functional  block  dia- 
gram, and  the  amount  of  acceptable  perform- 
ance degradation,  the  engineer  develops  the 
reliability  block  diagram,  and  the  upstate 
rules. 

(4)  The  reliability  block  diagram  and  the 
upstate  rules  are  used  as  inputs  to  the  equa- 
tions for  system  behavior  and  for  calculating 
various  measures  of  reliability  and 
maintainability  (including  availability).  The 
actual  analyses  are  described  in  Part  Three, 
Reliability  Prediction, 

The  reliability  diagram  is  a pictorial  way 
cf  showing  all  the  success  or  failure  combina- 
ticns  of  the  blocks  in  the  system,  Those  com- 
binations must  be  known  before  the  reli- 
ability diagram  can  be  drawn;  one  does  not 
“derive”  the  combinations  from  the  diagram 
for  the  first  time;  rather,  they  are  implicit  in 
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it  since  they  were  put  there  by  the  originator 
of  the  diagram.  The  rules  for  drawing  the 
diagram  are: 

(1)  A group  of  elements  that  are  essen- 
tial to  performing  the  mission  are  drawn  in 
series  (Fig.  4-l(B)). 

(2)  Elements  that  can  substitute  for 
other  elements  are  drawn  in  parallel  (Fig. 
4-l(C)). 

(3)  Each  block  in  the  diagram  is  like  a 
switch.  The  switch  is  closed  when  the  element 
it  represents  is  good;  it  is  open  when  the 
element  is  failed.  Any  closed  path  through  the 
diagram  is  a success  path- 

(4)  Elements  shown  in  parallel  are  some- 
times ambiguous.  The  usual  convention  is  that 
if  any  one  is  good,  the  subsystem  is  good  (see 
Rule  3).  But  some  subsystems  might  require, 
for  example,  that  2 out  of  5 are  good,  for  the 
subsystem  to  be  good.  These  combinations 
are  difficult  to  draw  in  the  simple  way;  so  the 
techniques  of  Fig.  4-1  (F)  sometimes  are  used. 

The  failure  behavior  of  each  redundant 
element  must  be  specified.  Some  common 
assumptions  and  tenninologies  are: 

(1) Hot  standby  (active  redundancy). 
The  standby  element  has  the  same  failure  rate 
as  if  it  were  operating  in  the  system. 

(2)  Cold  standby  (passive  redundancy, 
spares).  The  standby  element  cannot  fail.  This 
often  is  assumed  for  spares  on  a shelf,  or 
spares  that  are  not  electrically  connected;  but 
the  assumption  may  well  not  be  true. 

(3)  Warm  standby.  The  standby  element 
has  a lower-failure  rate  than  an  operating 
element.  This  is  usually  a realistic  assumption, 
but  often  is  not  a tractable  one. 

It  is  possible  for  standby  elements  to 
have  higher  failure  rates  than  operating  ele- 
ments. In  those  cases  an  attempt  ought  to  be 
made  to  have  the  standbys  in  operation  at  ail 
times— e.g.,  (l)an  electronic  system  which  is 
powered  can  stay  warm  and  thus  not  be 
damaged  by  moisture,  (2)  ball  or  roller  bear- 
ings can  Brinell  when  they  are  not  rotating, 
and  (3) seals  can  deteriorate  when  not  splash- 
ed by  fluid. 

The  state-matrix  approach  does  not  use  a 
reliability  diagram  because  of  the  limitations 
of  such  diagrams.  Rather,  the  states  (condi- 
tions) in  which  each  element  can  be  found  are 


listed;  examples  are  Good,  Degraded.  Waiting 
for  Preventive  Maintenance,  Waiting  for  Re- 
pair, and  Failed.  Some  of  the  element  states 
might  also  be  grouped— e.g,,  operating  might 
include  Good.  Degraded,  or  Waiting  for  Pre- 
ventive Maintenance.  Then  the  possible  sys- 
tsn  states  are  listed  arid  are  grouped  conven- 
iently. Very  often,  Up  or  Down  are  sufficient 
descriptions  of  the  system,  but  anything  the 
designer  and  users  agree  on  can  be  used— e.g., 
a communications  receiver  which  is  not  Down 
more  than  5 min  bright  not  be  considered 
Eailed.  Next,  the  transition  rate  between  each 
pair  of  states  is  specified.  The  usual  assump- 
tion (Markov  Chain)  is  made  that  the  transi- 
tion behavior  depends  only  on  the  two  states 
involved,  not  on  any  other  past  history.  If  the 
transition  rates  are  not  constant,  the  problem 
will  be  intractable  for  all  but  the  simplest  of 
systems.  If  there  are  many  elements,  each 
with  several  states,  the  problem  can  easily  be 
intractable.  More  details  or  this  approach  can 
be  found  in  Ref.  1 and  Part  Three,  Reliability 
Prediction. 

The  reliability  block  diagram  is  basically 
a graphical,  logical  presentation  of  successful 
system  operation.  A functional  block  diagram 
and  its  associated  reliability  block  diagram  are 
illustrated  in  Figs.  4-2  and  4-3. 

As  the  system  design  proceeds,  a series  of 
reliability  block  diagrams  must  be  developed 
to  progressively  greater  levels  of  detail  (Fig. 
4-4).  The  same  level  of  detail  ought  to  be 
maintained  in  a given  block  diagram.  A docu- 
mentation and  numbering  system  should  be 
instituted  so  that  the  family  of  reliability 
models  developed  for  the  system  can  be  or- 
ganized for  ready  use. 

The  elements  of  the  overall  reliability  dia- 
gram ought  to  be  as  comprehensive  as  feasible 
in  order  to  reduce  the  complexity  of  analysis. 

Fig.  4 5 depicts  a number  of  illustrative 
reliability  block  diagrams  together  with  their 
up-state  mles;  they  vary  in  complexity  start- 
ing with  the  simplest  (a  single  item)  and  pro- 
gressing to  levels  of  increasing  complexity.  An 
example  of  specifying  the  support  subsystem 
would  be  the  system  described  by  (E)  cf  Fig. 
4-5;  it  has  two  repainnen,  one  of  whom  is 
assigned  to  items  A and  E,  and  the  other  is 
assigned  to  the  remaining  items;  items  A and 
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(A)  H EH 


System  is  up  it  item  A is  ut, 


<BI  -EHEH3- 

System  is  up  if: 

A is  up  ««» 

B » up  amo 
C is  up 


-0- 

-m- 


System  is  up  if: 
A is  up  am 
B is  up 


System  is  up  if: 

(A  amo  B)  ere  up  on 
(A  amo  C amo  El  are  up  q» 
ID  amo  E)  art  up  on 
ID  and  C amo  B | art  up 


System  is  up  if. 
at  least  3 A's  aie  up  amo 
at  least  7 B'seie  up  amo 
at  least  I C is  up 

the  number  of  (A!s  * B’s  * C's1  up  is 
at  least  10 


System  is  up  if: 
SUBSYS  #1  is  iv  AMD 
SUBSYS  #2  is  up. 
SUBSYS  #1  isup  H: 
at  least  2 A's  are  up. 
SUBSYS  #2  is  up  if: 

ID  El  era  up  oe 
IF  AMO  (G  o«HI]  are  up 


Note:  amo  means  both/and 
o*  means  and/or 


FIGURE  4- 1.  Example  of  Reliability  Block  Diagrams  and  Up-state  Rules' 
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FIGURE  4-3.  ILS  Localizer  Reliability  Block  Diagram 
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FIGURE  4-4.  Progressive  Expansion  of  Reliability  Block  Diagram 


D require  a spare  part  which  is  taken  from  a 
pool  of  five  spares;  item  B requires  no  spares 
for  its  repair;  item  C is  not  repairable;  and  in 
the  case  c£  conflicting  demands  on  repairmen 
and/or  spares,  the  order  of  priorities  to  be 
followed  is  D,  A,  B,  E. 

The  up-state  rules  are  in  addition  to  the 
diagram  and  define  what  combinations  of  ele- 


4' 

ments  must  be  up  for  the  system  to  be  up.  A 
set  of  niles  must  be  defined  for  each  block  or 
section  in  the  reliability  block  diagram. 

The  failure  and  repair  distributions  of 
each  equipment  must  be  defined.  The  most 
common  failure  distributions  aie  exponential, 
lognonnal.  and  Weibull;  and  the  most  com- 
mon repair  distributions  are  exponential  and 
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Variate  x 

FIGURE  45(A).  Probability  Density  Function  fix) 


Variate  x 

FIGURE  45(B).  Cumulative  Distribution  Function 
Fix) 


Variate  y 

FIGURE  4-5(C).  Cumulative  Distribution  Function 
Giy) 


1.0 


t 0.5 

t 


o 4—* — • — * — * — ' — « — ■ — > — ■ — I 

o 0.5  t .0 

Variate  y 

FIGURE  4 5 (D).  Probability  Density  Function  g(y) 


Probability  F 

FIGURE  4-5  (E).  Inverse  CumulativeDistribution 
Function 


FIGURE  4-5.  Sampling  from  a Distribution 3 
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iognorma!.  Great  care  must  be  taken  when 
selecting  repair  and  failure  distributions;  they 
need  to  be  reasonably  tractable  and  reason- 
ably accurate.  For  complicated  systems,  non- 
constant transition  rates  present  an  almost 
hopeless  analytic  difficulty. 

Other  factors  that  must  be  defined  are 
the  repair  and  maintenance  strategies  and 
spares  allocation.  The  maintenance  strategies 
define  the  number  of  repairmen  assigned  to 
each  section.  The  repair  strategies  define  the 
order  in  which  equipments  are  repaired  if 
more  than  one  equipment  is  down.  The  spares 
allocation  defines  the  number  of  spare  equip- 
ments assigned  to  each  section. 

4-3  ANALYSIS 

Figures-of-merit  can  in  principle  be  com- 
puted for  any  electrical  or  mechanical  system 
if  a reliability  model  can  be  developed.  A 
variety  of  techniques  is  available  for  comput- 
ing the  figures-of-merit.  The  specific  tech- 
niques to  be  used  on  a problem  depend  on  the 
parameter  to  be  computed,  the  complexity 
and  type  of  system,  the  type  of  failure  and 
repair  distributions,  and  the  nature  of  the 
logistic  system.  All  of  these  factors  must  be 
considered  in  detail.  Simulation  techniques 
and  computer  programs  for  reliability  predic- 
tion often  are  used.  Because  of  their  com- 
plexity. detailed  discussions  of  drift  failure 
and  stress /strength  analysis  are  reserved  for 
later  chapters.  Stress/strength  analysis  is  dis- 
cussed in  Chapter  9,  and  drift  failure  is  dis- 
cussed in  Chapter  10.  Part  Three,  Reliability 
Prediction  discusses  the  analysis  of  the  mathe- 
matical model,  once  it  has  been  developed. 
For  a system  of  any  complexity,  it  is  likely 
that  the  analysis  will  not  be  feasible  until 
many  simplifying  assumptions  have  been 
made  in  the  original  model.  Ref.  1 is  a good 
textbook  on  analytic  methods. 

44  SIMULATION 

Simulation  techniques  (Ref.  2)  can  be 
used  to  determine  the  appropriate  reliability 
and  maintainability  measures  (r  & m meas- 
ures) for  complex  systems.  This  approach  is 
also  very  useful  for  evaluating  systems  whose 
elements  have  nonexponential  failure  and 


repair  distributions,  redundant  sections,  and 
can  operate  in  a degraded  mode.  Frequently, 
systems  of  this  kind  cannot  be  evaluated  by 
ordinary  analytic  methods.  Another  advan- 
tage of  using  simulation  is  that  the  effect  of 
the  logistic  system  on  the  r & m measure  can 
be  explored  in  detail,'  e.g.,  the  effect  of 
administrative  downtime  on  availability. 

4-4.1  GENERAL  DESCRIPTION  OF  A 
SIMULATION-PROGRAM 

Simulation  of  a complex  system  for  the 
estimation  of  r & m measures  is  best  accomp- 
lished by  means  of  a computer  program 
because  of  the  large  number  of  calculations 
that  are  required  to  estimate  the  r & m meas- 
ures to  an  adequate  level  of  s-confidence. 
Simulation  is  the  direct  observation  of  the 
system  model  “in  action”.  It's  a “try  it  and 
see”  approach.  The  name  Monte  Carlo  (fkom 
the  gambling  city)  often  is  used  when  the 
simulation  is  probabilistic  and  repetitive. 
Monte  Carlo  simulation  always  is  implied  (in 
this  chapter)by  the  word  simulation. 

The  input  data  consist  of: 

(1)  A list  of  elements  in  each  section 

(2)  The  failure,  repair,  and  other  event 
distributions  of  each  element 

(3)  System  failure  criteria,  which  can  in- 
clude allowable  downtime 

(4)  If  the  system  operates  in  more  than 
one  mode,  the  input  data  must  define  the 
equipment  list  and  failure  criteria  for  each 
mode  and  the  fraction  of  time  the  system 
operates  in  each  mode. 

The  logic  c£  such  a program  follows  (Ref. 
3) : 

(1)  Select  an  operating  mode. 

(2)  Generate  time  to  failure  for  all  ele- 
ments by  random  sampling  from  the  failure 
distributions, 

(3)  Search  for  the  element  with  earliest, 
time  to  failure. 

(4)  Check  element  reliability  configura- 
tion and  failure  criteria  to  determine  if  such 
failure  results  in  system  failure.  Check  opera- 
ting procedure  to  determine  when  the  ele- 
ment failure  will  be  discovered. 

(5)  Proceed  to  the  nest  event.  Generate 
a new  time  for  that  event.  There  may  be 
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several  competing  events  to  be  considered. 

(6)  If  system  failure  occurs,  record  this 
along  with  the  reason  for  failure  and  the  time 
at  which  failure  occurred, 

(7)  Repeat  Steps  (l)-(6)until  the  desired 
number  of  events  have  occurred- 

(8)  Print  out  results. 

There  are  many  simulation  programs  and 
languages  in  existence.  It  rarely  will  pay  to 
write  one  from  scratch.  The  best  procedure  is 
to  contact  the  people  who  run  the  computer 
and  see  what  is  available  for  that  computer. 

A considerable  amount  of  information 
can  be  obtained  from  this  program.  For  exam- 
ple, the  distribution  of  downtimes  and  times 
to  failure,  availability,  and  reliability  for  each 
element  and  for  the  system  can  be  obtained 
to  any  desired  level  c£  s-confidence.  The 
s-confidence  level  is  determined  by  the  num- 
ber of  runs  made  on  the  computer. 

The  basic  principle  of  Monte  Carlo  simu- 
lation is  sampling  from  statistical  distribu- 
tions. This  sampling  process  must  be  random, 
so  that  a source  of  randomness  is  required. 
The  most  appropriate  source  of  such  random- 
ness is  a sequence  of  random  numbers.  When 
a deterministic  algorithm  is  used  to  generate  a 
sequence  of  “random”  numbers,  they  are 
called  pseudo-random  numbers.  Choosing  an 
adequate  set  of  pseudo-random  numbers  is  an 
art  in  itself  and  must  be  considered  seriously 
in  any  large  scale  Monte  Carlo  simulation 
(Ref.  4).  When  the  simulation  is  being  per- 
formed by  hand  calculation,  a published  table 
cf  pseudo-random  numbers  can  be  used  (Ref. 
4).  For  a large  scale  simulation  performed  on 
a computer,  a subroutine  called  a pseudo 
random  number  generator  generates  the 
pseudo-random  numbers. 

The  distribution  of  a variable  can  be  de- 
scribed by  its  cumulative  distribution  func- 
tion ( Cdf ).  The  basis  for  Monte  Carlo  simula- 
tion is  the  fact  that  the  distribution  function 
of  any  Cdf  is  uniform  between  the  values  of  0 
and  1. 

Fig-  4-5  illustrates  why  a random  number 
frcm  the  uniform  distribution  (onthe  interval 
0 to  l)can  be  used  to  generate  a random 
variable  which  has  any  desired  distribution. 


Let 

/(*)  = pdf{x}.  Fig.  4-6(A) 

F(x)  = Cdf{x },  Fig.  4 -6(B) 
y = F(x) 

G(y ) = Cdf{y},  Fig.  4-6(C) 
g(y)  = pdf{y},  Fig.  4-6(D) 

where  x = any  randojp  variable, 

By  studying  the  Figs.  4-5(A)  through  4-5(D), 
one  can  convince  himself  thaty  does  have  the 
uniform  distribution  over  the  interval  0 to  1. 
Fig.  4-5(E)  is  just  Fig.  4-5(A)  redrawn  with 
the  axes  reversed.  By  choosing  (with  uniform 
pdf)  a number  between  0 and  1,  a value  of  F 
is  obtained.  By  entering  the  F-axis  in  Fig. 
4-5(E)  (say  F = 0.6),  then  going  up  to  the 
curve,  one  finds  the  value  of  x to  be  4.  One 
can  as  easily  use  the  survivor  function  Sf  as 
the  Cdf  since  it  involves  only  a reversing  of 
the  horizontal  scale  in  Fig.  4-5(E).  In  practice, 
the  calculations  of  x’s  from  the  F’s  can  be 
done  in  several  different  ways.  Ref.  4 dis- 
cusses several  of  them.  Rarely  will  the  design 
engineer  be  concerned  about  the  details  of 
such  calculations.  He  needs  only  enough 
understanding  to  talk  intelligently  to  a com- 
puter programmer  or  to  use  an  existing  simu- 
lation routine. 

In  practice,  this  process  can  be  mecha- 
nized by  using  a table  to  represent  the  graphs 
in  Fig.  4-5.  Analytic  methods  also  can  be 
used.  The  analytic  methods  include: 

(1)  Analytic  inversion  of  the  cumulative 
distribution  function  and  the  calculation  o£ 
the  value  of  this  function  for  the  value  of  a 
selected  uniform  random  variable 

(2)  Numerical  inverse  interpolation  in 
the  distribution  function  determined  analyti- 
cally 

(3)  A process  of  numerical  inverse  inter- 
polation in  a numerical  approximation  to  the 
cumulative  distribution  function 

(4)  The  numerical  approximation  to  the 
inverse  cumulative  distribution  function itsdf. 

The  analytic  method  of  inversion  is  illus- 
trated far  the  exponential  distribution,  which 
is  so  important  in  reliability  engineering. 
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Thepdf  of  time  to  failure  is 

f(t)  = X exp(— ht)  (4-1) 

The  Sf  is 

R(f)  = exp  (-At)  (4-2) 

The  inverse  of  the  Sf  is 

t = -(In  R(t))f\  (4-3) 

For  example,  let  X = 5.0  X 10"6/hr  and  let  3 
values  of  R— lfom  the  uniform  distribution 
over  [0,1]  — be  0.723,  0.032,  0.247.  Then  the 
3 corresponding  values  of  t are 
t = [(In  0.7231/(5.0  X 10  6/hr)] 

= ((-0.3243)/(5.0  X 10'6/hr)] 

= 6.49  X 104  hr  (4-4) 

t = — [(In  0.032)/(5.0  X 10'6(hr] 

= 6.88  X 105  hr  (4-5) 

t = -[(In  0.247)/(5.0  X 10'6  /hr] 

= 2.80  X 105  hr  (4-6) 

The  simulation  procedure  is  illustrated  by 
the  very  simple  example  that  follows;  any 
practical  system  will  have  many  more  compli- 
cations. The  system  has  the  following  proper- 
ties: 

(1) There  are  2 elements,  A and  B.  The 
system  fails  if  either  A or  B fails. 

(2)  Upon  the  failure  of  A or  B,  the  failed 
element  is  repaired.  Then  both  are  given  pre- 
ventive maintenance  to  restore  them  to  like- 
new  condition. 

(3)  All  failures  and  repairs  are 
s-independent. 

(4)  All  failure  and  repair  times  have 
Weibull  distributions.  (Part  Six,  Mathematical 
Appendix  and  Glossary  gives  details  on  this 
and  many  other  distributions.)  The  details  of 
the  distributions  are  given  in  Table  4-1. 

(5)  Preventive  maintenance  requires  2.0 
hr. 

Find  the  up-down  time  behavior  of  the  sys- 
tem by  simulation. 

The  program  st^psare  as  follows: 

(1)  Prepare  the  simulation  program  for 
this  specific  problem,  including  details  of  the 
distributions.  This  means  that  the  program 
must  “know”  the  5 properties  of  the  system 
previously  listed-  The  exact  form  of  inputing 
the  information  depends  on  the  simulation 
program  being  used.  All  pseudo-random 
numbers  are  frem  the  [0,1)  uniform  distri- 


TABLE  4-1 

FAILURE  AND  REPAIR  DISTRIBUTION  FOR 
ELEMENTS  A AND  B IN  THE  EXAMPLE 


The  Weibull  survival  function  Is  Sr{t}=  exp[— (t/crU]; 
the  value  of  t corresponding  to  Sf  is  f = In 


O. 

hr 

A . 

dimensionless 

points  for  the  Sf*,  hr 
50%  36.8% 

Falture 

time.  A 

1200 

1.4 

920 

1200 

Failure 

- 

time,  B 

1600 

1.8  « 

1310 

1600 

Repair 

time,  A 

3.1 

3.4 

2.8 

3.1 

Repair 

time,  B 

7.4 

4.6 

6.8 

7.4 

* The  times  shown  are  those  which  are  exceeded  by  50% 
and  36.8%of  the  occasions:  they  give  an  idea  of  the  typ- 
ical times  associated  with  the  distribution.  The  50%  point 
is  the  median;  the  36.8%  point  is  1/e  and  is  shown  because 
it  is  easy  to  calculate,  viz.,  t = a.  The  value  oft  for  the  50% 
point  Is  calculatedby  setting  the  Sf  to  50%.  The  times  are 
rounded  to  2 significant  figures. 

bution. 

(2)  Choose  2 pseudo-random  numbers. 
Assign  #1  to  element  A,  #2  to  element  B:  this 
is  arbitrary,  but  makes  no  difference  since  the 
numbers  are  random  enough.  Calculate  the 
corresponding  failure  times  for  A and  B;  the 
one  with  the  shortest  failure  time  is  the  one 
that  fails. 

(3)  Choose  a pseudo-random  number. 
From  Step  2,  the  identity  of  the  failed  ele- 
ment is  known.  Calculate  the  repair  time. 

(4)  A dd  the  preventive  maintenance 
time- 

(5)  Record  the  duration  of  the  up  and 
down  times.  This  life-cycle  is  finished.  If  more 
are  to  be  ran.  go  to  Step  2. 

(6)  The  simulations  are  finished,  the  dis- 
tributions of  up  and  down  times  are  reasori- 
ablv  well  known.  Calculate  the  quantities  cf 
interest.  e.g.,  s-availability , and  print  than 
out. 

Three  life-cycles  will  be  examined.  Table 
4-2  lists  the  pseudo-random  numbers  that  will 
be  used;  they  were  taken  from  Ref.  4,  Table 
26-11,  but  they  could  have  come  from  any 
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TABLE  4-2 


LIST  OF  PSEUDORANDOM  NUMBERS  FROM 
THE  UNIFORM  DISTRIBUTION 

Cycle  1 

Cycle  2 

Cvdc  3 

.38856 

.20431 

.96806 

.43328 

.01169 

.99605 

.37729 

.61815 

.95317 

generator  of  random  numbers.  The  bunching 
effect  in  cycles  land  3 is  just  the  “luck  cf  the 
draw”;  that’s  the  way  it  happens  sometimes. 

CYCLE  1 

Step  2.  The  2 pseudo-random  numbers 
are  0.38856  and  0,43328, -they  are  the  Sf  for 
A and  B,  respectively.  (Failure  times  are  cal- 
culated from  the  formula  in  Table  4-2.) 

The  failure  time  for  A is  (1200  hr)  X 
(-In  0.38856)  W-* 

The  failure  time  for  B is  (1600hr)  X (—In 
0.43328)  1/18  = 1449  hr.  A fails  first;  so  the 
system  vas  up  for  1153  hr. 

Step  3.  The  pseudo-random  number  is 
0.37729.  A is  being  repaired.  The  repair  time 

for  A is  (3.1  hr)  X (-In  0.37729)1'3-4  = 3.06 
hr. 

Step  4.  The  preventive  maintenance  time 
for  A is  2.0  hr;  so  the  down  time  is  (3.08  + 
2.0)  hr  = 5.08  hr. 

CYCLE  2 

. Step  2.  The  2 pseudo-random  numbers 
are  0.20431  and  0.01169;they  are  the  Sf  for 
A and  B,  respectively. 

The  failure  time  for  A is  (1200  hr)  X 
(—In  0.20431) 1/14  = 1670hr. 

The  failure  time  for  B is  (1600hr)  X (—In 
0.01169)1*1-8  = 3667  hr.  A fails  first;  so  the 
system  was  up  for  1670 hr. 

Step  3.  The  pseudo-random  number  is 
0.61815. A is  being  repaired.  The  repair  time 

for  A is  (3.1  hr)  X (-In  0.61815)  1>3  * = 2.50 
hr. 

Step  4.  The  preventive  maintenance  time 
for  A is  2.0  hr;  so  the  down  time  is  (2.50  + 


Step  5.  Lip  time  = 1153hr.  Down  time  = 

5.08hr. 

2.0)  hr  = 4. 50 hr. 

Step  5.  Up  time  is  1670.hr.  Downtime  is 

4.50  hr. 

CYCLE  3 

Step  2.  The  2 pseudo-random  numbers 
are  0.96806  and  0.996Q5;they  are  the  Sf  for 
A and  B,  respectively. 

The  failure  time  for  A is  (1200  hr)  X 

(-In  0.96806) 1/14  = 103. lhr. 

The  failure  time  for  B is  (1600hr)  X (-In 
0. 99605)J/1-8  = 74.02  hr.  B fails  first;  so  the 
system  was  up  for  74.0  hours. 

Step  3.  The  pseudo-random  number  is 
0.95317. B is  being  repaired.  The  repair  time 
for  B is  (7.4 hr)  X (-In  0.95317)1'4-6  = 3.82 
hr. 

Step  4.  The  preventive  maintenance  time 
for  B is  2.0  hr;  so  the  down  time  is  (3.82  + 

2.0) hr  = 5.82  hr. 

Step  5.  Up  time  = 74  hr.  Down  time  = 
5.82  hr. 

Step  6.  The  up/down  time  pairs  are 
shown  in  Table  4-3. 

An  estimate  of  the  s-unavailability  (poor 
though  it  is  from  only  3 cycles)  is  “total 
down  time”/“total  up  and  down  time”  = 
(15.40  hr)/  (2897 hr  + 15.40  hr)  = 0.0053. 
s-Availability  = 1 — s-unavailability  = 1 — 
0.0053  = 0.9947. 

Packaged  simulation  programs  can  estimate 
the  uncertainty  in  that  value.  Other  reliabil- 

TABLE  4-3 

UP/DOWN  TIME  PAIRS  FOR  THE  EXAMPLE 


Up.  hr  Down,  hr 

1153  5.08 

1670  4.50 

74  5,82 

Total  2097  15.40 
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TABLE  4 -4.  SUMMARY  OF  PROGRAMS  IN  THE  RELIABILITY  AREA 


Program  Description 

Organizations 

(Originator  or  User/Sponsor) 

References 

Computerized  Reliability  Assessment  Method 

AR  INC/NASA 

5 

RESCRIPT  (Not  a specific  program  but  a reliability-oriented  program- 
ming language  for  prediction) 

Computer  Concepts,  Inc. 

6 

Automated  Reliability  Irade-Qff  Program  for  balancing  cost  vs  pre- 
dicted reliability 

Collins  Radio 

7 

.Reliability  Erediction  of  majority  voter  logic  by  Monte  Carlo  methods 

IBM 

8 

Reliability  prediction  of  systems  by  combining  failure  rates 

Radiation  Inc. 

9 

.Reliability  Prediction  of  systems  by  combining  failure  rates 

Lockheed-Georgia 

10 

Reliability  Prediction  of  systems  by  programmed  prediction 
equation 

Marine  .Engineering  Lab. 

11 

.Reliability  Prediction  and  crew  safety  analysis  for  complex  aerospace 
systems  from  input  logic  models 

Grumman/NASA 

12 

Reliability  Prediction  program  for  computing  mission  success  and  crew 
safety  for  Gemini  Launch  Vehicle;  prediction  equations  required 

Martin-Ba  Itimore 

13 

.Reliability  Erediction  by  simulation 

Air  Force  Institute  of  Technology 

14 

Special  purpose  program  for  prediction  of  Appollo  mission  success  by 
simulation 

GE-Te  mpo/NASA 

15 

Reliability  Analysis  and  Prediction  Independent  of  Distributions 

Lear  Siegler/NASA 

16 

Automatic  Reliability  Mathematical  Model 

NAA 

if 

Reliability  Erediction  of  power  systems 

West  inghouse 

18 

Reliability  Erediction  of  space  vehicle  by  Monte  Carlo  simulation 

NAA/NASA 

19 
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TABLE  44.  SUMMARY  OF 


Program  Description 

Simulation  of  Failure-Responsive  Systems 

Welbull  Analysis  Program  • Conducts  Weibull  Reliability  Analysis 

.Reliability  program;  computer  success  probability;  several  com- 

n.ents;  different  distributions;  includes  correlation  between 
ifetimes 

Reliability  program;  computer  system  reliability  estimates  of 
componenfsr  r ’ 

Mathematical  Automated  Reliability  and  Safety  Evaluation 
Erogram 

A simulation  program  for  availability  analysis  using  minimal  cuts 

Launch  vehicle  availability  for  the  Saturn  V 

Availability  and  support,  used  on  Minuteman 

Availability  re  Monte  Carlo  (MORL) 

Availability  re  Monte  Carlo,  used  on  BMEWS 

Investigation  of  the  difficulties  in  existing  program  languages  for 
availability  and  related  problems 

Availability  of  aircraft,  used  on  858,  Fill 

Eff|^e1riep?aRnmg)l(lUC?l  of  Pr09rams  for  ear|y  weaPon 

Operational  analysis  and  availability,  used  on  Atlas  and  Centaur 
Support-availability  multi-systems  operations  model  (SAMSOM) 


IfatW.-VifWW 


IN  THE  RELIABILITY  AREA  (cont'd) 


(OriginaPoFWlWeon*,,) 

References 

iAfestinghouse/NASA 

20 

Motorola 

20 

Service  Bureau  Corp. 

21 

Service  Bureau  Corp. 

22 

Mathematba/Sandia 

22,  23 

RT  l/NAS  L 

24 

Boeing/NASA  MSC 

25 

ST  L/AF 

26 

Douglas/NASA 

27 

PRC 

28 

Cook  Electric/AFSC  RADC 

29 

General  Dynamics,  F.W. 

30 

Martin,  Orlando 

, 30 

General  Dynamics,  F.W. 

31 

RAND/AF 

32 
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TABLE  4-4.  SUMMARY  OF  PROGRAMS  IN  THE  RELIABILITY  AREA  (cont'd) 


Organirations 

Program  Dercription  (Originator  or  User/Sponsor)  References 


Efficient  availability  evaluation  as  changes  are  made  ARINC/NASL  15 

Effectiveness  and  design  adequacy  simulation  and  evaluation 

of  aircraft  ARINC/AF  ASD  15 

WSEIAC  model,  which  combines  availability,  dependability, 

and  capability  ARINC  In-House  15 

System  effectiveness  analyzer  (SEA)  for  prediction  and 

optimLtation  Computer  Applications/NASL  15 

Steady-state  effectiveness,  called  system  effectiveness  evaluation 

analyzer  (SEE/AN)  Auerbach/DCA  15 

System  simulation  (SEE/SIM)  Auerbach/BuShips  15 

ASW  mission  effectiveness  in  support  of  advanced  ASW  ship  ARMA/BuWps  15 

Effectiveness  of  multi-mode  systems,  for  the  E2A/ATDS  ARINC/BuWps  15 

Cost  Reduction  Early  decision  Information  Techniques  (Oct73)  Hughes  Aircraft  Co. 

Culver  City,  Calif.  15 

Routine  Reliability  and  Maintainability  Prediction  and  Analysis  unknown  33 

PREDICTORS  R/M  Systems,  Inc,  34 

RELCOMP.  A Computer  Program  for  Calculating  System 

Reliability  and  MTBF  Interstate  Electronics  Co.  35 

BIAS:  A Network  Analysis  Computer  Program  Lawrence  Radiation  Laboratory  36 

CROS:  Computer  Reliability  -Optimization  system  Hoffman  Electronics  Co.  37 

OLSASS:  2n'iain8  System  Availability  and  Service  simulation  Aerojet  ElectroSystems  Co.  38 

PATREC:  PATtern  RECoanition  Analysis  of  Fault  Trees  Centre  d'Etude  Nucleaires  de  Saclay  39 

STM:  Synthetic  Tree  Model  and  DRAFT  for  automatic  generation 

of  Fault  Trees  Aerojet  Nuclear  Co.  40 

Computer  Program  for  Approximating  System  Reliability  Research  Triangle  Institute  41 
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ity-maintainability  measures  can  be  calculated 
as  desired.  Two  big  advantages  of  a simulation 
exercise  are: 

(1) It  forces  the  designer  to  consider  all 
aspects  of  the  failure-repair  behavior  of  every 
element  of  the  system  in  all  possible  situa- 
tions. 

(2)  It  graphically  shows  the  designer  the 
kinds  of  failure-repair  behavior  the  system 
typically  exhibits. 

The  simulation  example  took  about  1 
man-hour  including  the  calculations  with  an 
engineering  electronic  calculator.  Large  sys- 
tems can  require  man-months  of  time  to  set 
up  and  hours  of  run  time  on  large  computer 
installations. 

4-5  COMPUTER  PROGRAMS 

Reliability  predictions  for  complex  sys- 
tems frequently  require  a large  amount  of 
tedious  computation.  A number  cf  computer 
programs  have  been  developed  for  performing 
reliability  predictions.  A detailed  listing  of 
programs  is  presented  in  Table  4-4.  Some  of 
them  may  be  proprietary.  A check  should  be 
made  at  one’s  computer  installation  to  deter- 
mine what  programs  are  available  and  what 
ones  can  be  obtained. 
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CHAPTER  5 ALLOCATION  OF  RELIABILITY  REQUIREMENTS 


5-0  LIST  OF  SYMBOLS 


AEG 

A 

A, 

Cc 

Ck 

Cm 

8 

M 


N 

n 

n 


nik 


old 


Q 


8k 


Ra’Rb'Rb  i 


' ik 


'kt 


Active  Element  Group 
availability  of  a sdceystem 
availability  of  system 
cost  constraint  (par. 

5-2. 7.1) 

cost  of  each  unit  in  stage  k 

0 < Ck  < 1 (Dimensionless) 
complexity  factor  for  (par. 
5-2.5)  for  subsystem  k 

an  effort  function  (par. 
5-2. 7. 3) 

number  of  modules  in  sys- 
tem 

minimum  number  of  units 
to  be  up  for  system  to  be 
up  (par.  5-3.4) 
number  of  modules  or  AEG 
types  in  subsystem  k 
number  of  subsystems 
number  cf  subsystems  in 
series  (par.  5-3.2) 
constraint  allocation  vector 
(par.  5-2. 7.1) 

number  cf  type  / AEG’s  in 
subsystem  k 

number  of  extra  redundant 
units  in  stage  k (par. 
5-2.7. 1) 

subscript,  implies  the  old 
systan;  as  opposed  to  the 
new  system  about  which 
calculations  are  being  made. 

1 — R (may  have  same  sub- 
script on  both  R and  Q)  im- 
plies a quantity  which  is  al- 
located, e.g.,  see\fe  and.fi,, . 
unreliability  for  each  unit  in 
stage  k 

number  cf  repairment  for 
system,  (par-  5-3.2) 
s-Reliability  of  subsystem  A 
or  B or  of  element  Bi 
relative  failure  rate  of  type  i 
AEG 

rating  (par.  5-2.5)  for  factor 
i of  subsystem  k 
s-Reliability  allocated  to 

subsystem  k 

cost  for  stage  k ($1000) 


R. 

= 

system  s-reliability  re- 
quirement 

T 

= 

mission  duration 

T, 

= 

defined  by  Eq.  5-72  (par. 
52.7.1) 

K 

— 

operating  time  for  subsys- 
tem k,  0 < tk  < T 

u 

= 

1 — A (also  used  with  sub- 
scripts) 

“* 

= 

utility  assigned  to  subsystem 
k,0<  uk  < 1 (dimensionless) 

w 

— 

relative  failure  rate  of  Sys- 
tran 

= 

defined  by  Eq.  5-117 

wk 

= 

relative  failure  rate  of  sub- 
system k 

v'k 

= 

rating  (par.  5-1. 2. 5)  forsub- 

sygtaan k 

A 

= 

kj/Pj 

y. 

_ 

X/ju  for  the  system 

K 

= 

failure  rate  allocated  to  sub- 
system k 

A, 

= 

required  system  failure  rate 

8 

= 

repair  rate  (constant) 

P 

= 

a ratio  of  new  to  old  fai hire 
rates,  (seeEq.  5-56) 

A 

= 

“hat”,  used  on  R (par. 

5-2. 7. 3)  to  imply  state-of- 
the-art  value 


5-1  INTRODUCTION 

Allocation  techniques  permit  the  engi- 
neer to  assign  various  effectiveness  parameters 
to  individual  subsystems  by  knowing  the  over- 
all system  effectiveness  requirement  and 
system,  design.  Several  allocation  procedures 
are  available  for  situations  such  as  reliability 
without  repair  R( t),  reliability  with  repair 
RR(t),  instantaneous  availability  A(t),  and< 
steady-state  availability  A„  The  procedure 
used  depends  on  the  effectiveness  measure, 
the  extent  of  knowledge  cf  system  design, 
and  whether  constraints  on  cost  car  other  pa- 
rameters must  be  considered  at  the  Same  time. 

If  the  measure  selected  for  the  system  is 
reliability  without  repair,  subsystem  reli- 
ability or  failure  rate  can  be  assigned  directly 
fkom  the  system  requirement. 
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When  reliability  with  repair  or  instan- 
taneous availability  is  chosen  as  the  measure 
of  system  effectiveness,  the  allocation  proce- 
dure depends  on  the  system  configuration. 
For  a simple  series  system  with  the  proper 
servicing  configuration,  the  system  effective- 
ness measures  can  be  expressed  directly  as  the 
product-of  the  subsystem  measures  and  the 
subsystem  measures  can,  in  turn,  be  expressed 
as  a function  c£  subsystem  failure  and  repair 
rates.  For  configurations  with  redundant  sub- 
systems, the  system  level  effectiveness  meas- 
ure usually  must  be  computed  as  a function 
of  subsystem  failure  and  repair  rates,  using 
the  transition  matrix  technique  described  in 
Chapter  4.  In  either  case  the  allocation  pro- 
cedures are  more  complex  than  those  used  for 
allocating  reliability  without  repair. 

The  allocation  process  is  approximate. 
The  effectiveness  parameters  apportioned  to 
the  subsystems  are  used  as  guidelines  to  deter- 
mine design  feasibility.  If  the  allocated  effec- 
tiveness parameters  for  a specific  subsystem 
cannot  be  achieved  at  the  current  state  of 
technology,  then  the  system  design  must  be 
modified  and  the  allocations  reassigned,  This 
procedure  is  repeated  until  an  allocation  is 
achieved  that  satisfies  the  system  level  re- 
quirement and  all  constraints,  and  results  in 
subsystems  that  can  be  designed  within  the 
state  of  the  art. 

Of  course,  sometimes  the  system  goals 
v£H  have  been  too  cptimistic; however,  that  is 
a contractual  problem— see  Part  Fiue,  Con- 
tracting for  Reliability— not  an  allocation 
problem.  Also,  another  management  problem, 
actually  meeting  the  assigned  goals,  is  not  dis- 
cussed. Some  managers  assign  a stall  extra 
asaducticn  to  everyone  and  save  the  “surplus” 
to  give  to  those  who  cannot  meet  their  assign- 
ed goals. 

5-2  SYSTEMS  WITHOUT  REPAIR 

This  situation  is  reasonably  straightfor- 
ward. The  basic  idea  is  to  allocate  reliability 
goals  to  each  subsystem  so  that  each  subsys- 
tem wiH  be  equally  difficult  to  design  and 
develop.  The  following  assumptions  are  made: 

( 1 ) All  failure  rates  are  constant.  Rarely 
is  any  other  assumption  justified  this  early  in 


the  design.  If  it  is,  just  interpret  the  failure 
rate  as  “mean  failure  rate  for  the  mission”. 

(2)  Each  subsystem  is  operating,  i.e.,  has 
a nonzero  failure  rate,  for  a time  which  can  be 
less  than  the  mission  duratidn.  No  subsystem 
operates  for  zero  time, 

(3)  Each  subsystem  contribution  to 
system  failure  is  weighted  by  its  utility.  This 
implies  that  the  system  does  not  always  fail  if 
the  subsystem  fails.  Utility~can  be  considered 
in  two  ways: 

(a)  The  mission  is  composed  of  tasks. 
The  utility  of  a subsystem  is  then  the  fraction 
of  the  mission  that  is  not  performed  if  only 
that  subsystem  is  not  working. 

(b)  There  are  varied  missions.  The  utility 
of  a subsystem  is  then  the  fraction  of  missions 
that  fail  if  only  that  subsystem  is  not  work- 
ing. No  subsystem  has  zero  utility. 

(4)  The  system  complexity  is  allocated 
to  subsystems  on  an  additive  basis.  System 
complexity  is  normalized  to  l,and  the  sum  of 
the  subsystem  complexities  is  the  system 
complexity.  Complexity  is  related  to  esti- 
mated failure  proneness  a f the  elements  com- 
posing a subsystem.  Allocation  methods  differ 
on  their  bases  of  assigningcomplexity  to  each 
subsystem. 

(5)  System  failure  rate  is  a weighted  sum 
of  the  subsystem  failure  rates. 

These  assumptions  are  consistent  with 
the  formula: 

N 

X«T  =£«***'*  <5-!) 

k-l 


\s  = required  system  failure  rate,  time'1 
T = mission  duration,  time 
N = number  c£  subsystems 
uk  = utility  assigned  to  subsystem  k, 
(Xi<fc  <1,  dimensionless 
\k  = failure  rate  allocated  to  subsystem 
k,  time'1 

" operating  time  of  subsystem  k, 

0<tk<T , time 

Eq.  5 -1  is  conventional  for  s-independent, 
series  systems  except  for  the  utility. 


where 


5-2 


The  following  allocation  cf  failure  rate  is 
consistent  with  Eq.  5-1. 


Xfe  = (tJT)uk 


(5-2) 


where 

Ck  = complexity  factor  of  subsystem  k, 

N 

0 < Ck  < = 1,  dimensionless 

*-i 

If  Xk  in  Eq.  5-2  is  substituted  in  Eq.  5-1,  an 
identity  results,  which  demonstrates  that  Eq. 
5-2  is  indeed  a solution  to  Eq.  5-1 . 

5-2.1  EQUAL  ALLOCATION 

This  is  the  simplest  situation.  It  arises 
under  the  following  additional  assumptions 
about  the  system: 

(1)  Jill  utilities  are  1:  uk  = 1 for  alii 

(2)  AZ1  subsystems  operate  for  the  entire 
mission:  tk  = Tfor  all  k 

(3)  Each  subsystem  is  of  equal  com- 
plexity: Ck  = l/N  for  all  k. 

Eq.  5-2  becomes 

Xh=(l  /N)Xt.  (5-3) 

Eq.  5-3  is  equivalent  to 

Sk=R,  1IN  <5'4) 


where 

Rk  = s-Reliability  allocated  to  each  sub- 
system 

Rs  = system  s-reliability  requirement 

When  the  s-reliability  R is  near  1,  it  is 
often  desirable  to  calculate  the  s-unreliability 

Q. 

Q=l-R  (5-5) 

It  is  easier  to  understand,  because  it  is  the 
probability  of  failure.  Example  Problem  No.  1 
illustrates  the  application  of  reliability  goals. 

5-2J2  PROPORTIONAL  COMPLEXITY 

When  a new  system  is  very  similar  to  an 
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old  one,  with  the  exception  of  a new  reli- 
ability requirement.  Eq.  5-2  can  be  simplified. 
The  basic  assumption  is  that 


Ch  _ kfe.old 
/T)uk  \,oid 


(5-8) 


where 

old  = subscript  denoting  the  old  system. 

Eq.  5-2,  when  combined  with  Eq.  5-8, 
simplifies  to 

^■h  = Void  x 7, 

s.oid 

Example  Problem  No.  2 illustrates  the 
procedure. 


5-2.3  SIMPLE-MODULAR  COMPLEXITY 

Each  subsystem  is  presumed  to  be  com- 
posed of  s-independent  modules  in  series, 
each  of  which  has  the  Same  failure  rate.  Com- 
plexity' is  taken  to  be  the  fraction  of  modules 
in  the  subsystem 

Ck  = mk  /M  (5-15) 


where 

mk  = number  of  modules  in  subsystem  k 
M - number  of  modules  in  the  system 

Then  Eq.  5-2  becomes 


" (tkmu; A* 


(5-16) 


Example  Problem  No.  3 illustrates  the  pro- 
cedure. 


It  is  possible  to  calculate  subsystem  s-reliab(T 
ity,  but  its  meaning  is  distorted  by  the  utility 
and  operating  time  factors  in  Eq.  5-1.  It  is 
better  not  to  make  the  calculation  since  the 
proper  explanations  will  be  lost  too  easily, 
and  the  results  will  appear  erroneous  without 
the  explanations. 
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Example  Problem  No.  1 

A group  of  8 roller  bearings  is  required  to  have  an  s-reliability  of  0.99  and  the  conditions  of 
Eqs.  5-3  and  5-4  are  assumed  to  be  satisfied.  What  s-reliability  is  to  be  allocated  to  each  bearing? 


Procedure 


Example 


(1)  Set  Rs  to  the  required  system  s-reliability, 
and  N to  the  number  of  subsystems. 
Solve  also  for  Q,  by  Eq.  5-5. 


R,  = 0.99 
N=8 

Q,  = 1 - 0.99=  0.01 


(5-6) 


(2)  Solve  for  Rk  by  Eq.  5-4  and  Qk  by  Eq. 
5-5. 


Rh  = (0.99) 1/8  = 0.99874 
Qk  = 1 - 0.99874  = 0.00126 


(5-7) 


Each  bearing  can  have  only  about  1/8  the  failure  probability  c£  the  whole  system.  The 
application  cf  the  formulas  presumes  that  bearing  failures  are  s-independent  of  each  other;  e.g., 
failure  is  not  due  to  a sudden  stoppage  c£  lubricating-oil  flew  to  all  bearings. 
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Example  Problem  No.  2 

An  old  hydraulic  power  supply  must  be  upgraded  to  abetter  failure  rate.  The  characteristics 
of  the  old  system  are  given  in  Columns  1,  2 of  Table  5-1,  and  the  conditions  for  Eq.  5-9  are 
assumed  to  be  satisfied.  The  failure  rate  requirement  for  the  new  upgraded  system  is  200  per  106 
hr.  Allocate  this  requirement  to  the  subsystems. 


Procedure 

(1)  Set  Aa  and  A,  old  to  the  given  values. 

(2)  Calculate  A, /A,  old  . 


Example 

At  = 200  per  10*  hr  / 
K.oid  “ 256  per  10*  hr  ) 

\ a 200  per  10*  hr 
\ t.oid  256  per  10*  hr 
= 0.78126 


(6-10) 

(6-11) 


(3)  Fill  in  column  3,  Table  5-1,  by  Eq.  5-9. 


(4)  Round  off  the  A*  to  2 significant  figures 
for  Table  5-1;  so  too  much  accuracy  will 
not  be  implied. 


(5)  Confirm  that  the  s u m of  allocated  failure 
rates  for  the  new  ^standees  not  exceed 
the  requirement,  i.e.,  2Ak  < 200.  (Units 
are  “per  10®  hr”.) 


\ = (3 per  106  hr)  X 0.78126 
13  2.344  per  10®  hr 
A*  = (lperlO®  hr)  X 0.78126 
= 0.7813  per  106  hr 


\0  » (67  per  10®  hr)  X 0.78125 
= 52.34  per  10®  hr 

A,  = 23  per  10®  hr  \ 

^ » 0.78  per  10®  hr  ) 


“ 52  per  10*  hr  ' 

2Afc  = 2.3  + 0.78  + 59  + 36  + 23 
+ 20  + 3.1  + 0.78  + 23 
+ 52 

= 199.26  < 200 


(5-12) 


(6-13) 


(6-14) 


In  practice,  more  attention  would  be  devoted  to  the  pump  and  starter  vfrich.  together 
account  for  over  50%  of  the  system  failures,  and  little  if  any  to  the  reservoir,  strainer,  filter, 
flexible  coupling,  and  manifold  which  together  account  for  less  than  5%of  the  system,  failures. 
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Example  Problem  No.  3 


An  early-warning  radar  has  a reliability  requirement  of  0.90  for  a 12-hr  mission  (Ref,  2).  The 
system  as  described  in  Table  5-2,  columns  1,  2,  4,  and  by  the  following  information:  if  the 
moving-target  indicator  is  failed  (but  the  rest  of  the  system  is  operating),  them  25%  of  the  targets 
will  be  lost  in  ground  clutter.  Other  subsystems  are  essaitial.  The  mLssdjcn  value  is  presumed 
proportional  to  the  number  of  targets,  Allocate  the  failure  rates  to  each  subsystem. 


Procedure 


(1)  Assign  known  values. 


R,  = 0.90  \ 
T=  12hr  / 


(2)  Determine  total  number  of  modules  M in 
system,  i.e.,  M = T,nh  . 


M = 256 


Example- 


(5-17) 

(5-18) 


(3)  Calculate  mission  failure  rate  by  Eq.  4-3,  ^ _ _^n  q 90/12  hr 

i.e.,  X , = (In  R,)/T.  • _ 0.10536/12  hr 

* 8.78/1000  hr 


(4)  Fill  in  column  3,  Table  5-2,  by  Eq.  5-15. 


C , =35/533  = 0.0657  \ 

C\  =91/533=  0.1707  ) 


C6  = 88/633  = 0.1651  ' 


(5-19) 


(5-20) 


(5)  Fill  in  column  5,  Table  5-2,  i.e.,  tk  /T.  IT  = 12/12=  1.00 


(6)  Fill  in  column  6,  Table  5-2,  i.e.,  uk. 
Essential  subsystems  have  a utility  of  1. 
Nonessential  subsystem  have  a utility 
equal  to  the  fraction  of  targets  lest  when 
that  subsystem  is  failed. 

(7)  Fill  ±1  column  7,  Table  5-2,  by  Eq.  5-16. 


(5-21) 
(5-22) 

Xj  = FTOOX^UOO  ^ 0.73  Per  1000 hr 

= 0.5769  per  1000  hr 


f8/T=  6/12=0.50 

“i  = “2  = “s  = u<  = 1 
u6  = 0.25 


X m 01707  X 8.78  per  1000 hr 
* 1.00  X 1.00 
= 1.499  per  1000  hr 


(5-23) 


U7&-k6 7(i?25  X 8. 78  per  1000 hr 
= 11.60  per  1000  hr 
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(8)  Round  off  Afc  to  2 significant  figures  for  1 - ‘ r 

Table  5-2,  column  7;  so  too  much 
accuracy  will  not  be  implied. 


The  failure  rates  in  column  7,  Table  5-2  do 
not  sum  to  A,  = 8.78  per  1000  hr  (Eq.  5-19) 
because  of  the  various  weighting  factors.  To 
check  the  calculations,  Eq.  5-1  has  to  be  used. 

(9)  Fill  in  column  8,  Table  5-2,  i.e.,  uk\kth. 


(10)  Sum  column  8 by  Eq.  5-1. 


(11)  Compare  with  requirement  X,T  = 8.78  X 
12  = 0.1054 


Z = 0.00696  + 0.01800+  0.1680 
+ 0.04560  + 0.01800 

= 0.1054  (5-26) 


The  requirement  is  satisfied  to  within  the  accuracy  of  the  problem  statement. 
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TABLE  5-1 

FAILURE  RATES  FOR  OLD  AND  NEW 
HYDRAULIC  SYSTEMS 


Failure  Ratek,-,  per  10®  hr 

ID 

(2) 

13) 

Subsystem 

Old  System 

New  System 

1. 

Reservoir 

3 

2.3 

2. 

Strainer 

1 

0.78 

3. 

Pump 

75 

59. 

4. 

Motor 

46 

36. 

5. 

Check  Valve 

30 

23. 

6. 

Relief  Valve 

26 

20. 

7. 

Filter 

4 

3.1 

8. 

Flexible  coupling 

1 

0.78 

9. 

Manifold 

3 

2.3 

10. 

Starter 

67 

52. 

Total  (System) 

256 

199.26  < 200 

5-2.4  DETAILED  COMPLEXITY 

Each  subsystem  is  composed  of  Active 
Element  Groups  (AEG)  as  explained  in  Ref. 
4.  The  complexity  of  each  subsystem  is  pro- 
portional to  the  relative  failure  rate  of  its 
AEG's.  The  AEG's  for  each  subsystem  are 
presumed  to  be  s-independent  and  in  series.  A 
table  cf  relative  failure  rates  is  required.  Some 
are  given  in  Appendix  ALof  Ref.  4.  Failure 
rates  in  Ref.  lean  be  adapted  to  this  purpose, 
as  can  in-house  data.  All  AEG  failure  rates 
must  be  relative  to  one  reference,  e.g.,  mech- 
anical elements  cannot  have  one  reference  and 
electronic  parts  another  reference.  In  some 
older  explanations  of  this  procedure  (Ref.  4), 
the  data  are  presumed  to  have  several  refer- 
ences; all  the  data  must  then  be  normalized  to 
one  of  the  references. 


TABLE  5-2.  EXAMPLE  RADAR  SYSTEM  DESCRIPTION 


(1) 

(2) 

(3) 

14) 

(5) 

(6) 

(7) 

(8) 

jL 

• -C 

f 

0 

E 

3 p 

> 

i- 

« 2 
u. " 

Number 

Modulet 

X 

M 

a 

E 

m 

i 

° o> 
c c 
O 

u fc 

2 S 

E 

5 

•o  w 

• 0 
S a 

8- 

o 

5 

u.O 

<«c 

Subsystem 

nk 

ck 

11. 

V7* 

uk 

*k 

uk\tk 

1.  Power  Supply 

35 

.0657 

12 

1.00 

1.00 

0.58 

0.00696 

2 Transmitter 

91 

.1707 

12 

1.00 

1.00 

1.5 

0.01800 

3.  Receiver 

88 

.1651 

12 

1.00 

1.00 

1.4 

0.01680 

4.  Display  and 

231 

.4334 

12 

1.00 

1.00 

3.8 

0.04560 

Control 

5.  Moving-target 

88 

.1651 

6 

0.50 

0.25 

12. 

0.01800 

tndicator 

Total 

533 

1.0000 

0.1054 

Mission  duration  T=  12  hr 
Mission  s-reliability  require  me  nt0.90 
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Xj  = 8.78  per  1000  hr 
\T  = 0.1054 
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The  subsystem  complexity  is 


Ch  =wJW 

(5-28) 

mk 

wk  =Tnnik 

/ U 

(5-29) 

i=  1 

N 

W=Ewk 

k = 1 

(5-30) 

where 

nik  ~ number  of  type  i AEG’s  in  sub- 
system k 

r.  = relative  failure  rate  of  type  i AEG 
wk  = relative  failure  rate  of  subsystem  k 

W = relative  failure  rate  of  the  system 
mk  = number  of  AEG  types  in  subsystem 
k 

Example  Problem  No.  4 illustrates  the 
procedure. 

5 2.5  FEASIBILITY-OF-OBJECTIVES  AL- 
LOCATIONS 

This  technique  adapted  from  Ref.  5 was 
developed  primarily  as  a method  of  allocating 
reliability  without  repair,  for  mechanical- 
electrical  systems.  In  this  method,  subsystem 
allocation  factors  are  computed  as  a function 
of  numerical  ratings  of  system  intricacy,  state 
of  the  art,  performance  time,  and  environ- 
mental conditions.  These  ratings  are  estimated 
by  the  engineer  on  the  basis  of  his  experience. 
Each  rating  is  on  a scale  from  lto  10, with 
values  assigned  as  discussed: 

(1)  System  Intricacy,  intricacy  is  evalu- 
ated by  considering  the  probable  number  of 
parts  or  components  making  up  the  system 
and  also  is  judged  by  the  assembled  intricacy 
cf  these  parts  or  components.  The  least  intri- 
cate system  is  rated  at  1,  and  a highly  intri- 
cate system  is  rated  at  1 0. 

(2)  State  of  the  Art.  The  state  cf  present 
engineering  progress  in  all  fields  is  considered. 
The  least  developed  design  or  method  is 
assigned  a value  of  10,  and  the  most  highly 
developed  is  assigned  a value  of  1. 


(3)  Performance  Time.  The  element  that 
operates  for  the  entire  mission  time  is  rated 
10,  and  the  element  that  operates  the  least 
time  during  the  mission  is  rated  at  1. 

(4)  Environment.  Environmental  condi- 
tions are  also  rated  from  10  through  1.  Ele- 
ments expected  to  experience  harsh  and  very 
severe  environments  during  their  operation 
are  rated  as  10,  and  those  expected  to  en- 
counter the  least  -severe  environments  are 
rated  as  1. 

The  ratings  are  assigned  by  the  engineer 
using  his  engineering  know-how  and  experi- 
ence. An  estimate  is  made  of  the  types  of 
parts  and  components  likely  to  be  used  in  the 
new  system  and  what  effect  their  expected 
use  has  on  their  reliability.  If  particular  com- 
ponents had  proven  to  be  unreliable  in  a par- 
ticular environment,  the  environmental  rating 
is  raised-  The  ratings  can  be  selected  by  indi- 
vidual engineers,  or  through  some  form  of 
voting  technique  among  a group  of  design 
engineers. 

The  4 ratings  for  each  subsystem  are 
multiplied  together  to  give  a rating  for  the 
subsystem;  the  subsystem  rating  will  be 
between  1 and  104 . The  subsystem  ratings  are 
then  normalized  so  that  their  sum  is  1.  The 
normalized  subsystem  rating  C‘h  is  used  in 
place  of  the  factor  C,  l(th/T)  in  Eq.  5-2.  The 
utility  of  each  subsystem  is  considered  to  be 
l.Eqs.  5-1  and  5-2  then  become 

N 

\T=XXT  (5-42) 

k=l 

Xfc=C>5  (5-43) 

where 

C'fe  = complexity  of  subsystem  k 


C^w'jW 

(5-44) 

i 

t t t t 

— rifer2*  '3 k '4 k 

(5-45) 

N 

(5-46) 

ft=i 
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Example  Emblem  No 4. 

Consider  a bombsight  system  comprising  three  subsystems:  a power  supply,  navigation  com- 
puter, and  optical  equipment.  The  power  supply  and  the  optical  equipment  are  series  elements  in 
the  reliability  model;  since  both  must  work  for  the  sysban  to  be  up,  the  utility  of  these  subsys- 
tems is  1.  Since  the  optical  equipment  can  be  controlled  manually  in  the  event  of  navigation 
computer  failure,  the  navigation  computer  utility  is  less  than  1.  Estimates  made  on  the  basis  of 
performance  c£  similar  systems  indicate  that  57  mission  failures  occur  for  every.  1 00  missions  in 
which  the  navigation  computer  and  nothing  else  failed.  Therefore',  the  utility  of, the  navigation 
computer  is  0.57.  The  system  reliability  requirement  R,  is  0.94  for  6 hr  of  system  operation.  The 
operating  time  c£  the  power  supply  and  optical  equipment  is  also  6 hr;  that  for  the  navigation 
computer  is  5 hr.  Detailed  steps  for  conducting  the  apportionment  follow.  The  system  data  are 
given  in  Table  5-3,  columns  1,2,  3,  7a,  8. 


Procedure 

(1)  Assign  known  values. 

(2)  Calculate  X,  by  Eq.  4-2,  i.e.,  X,  = 

-(In  R,)IT. 


Example 

R , = 0.94  ) 

T = 6 hr  J 

X,  = —In  0.94/6  hr 
= 10.31  per  1000  hr 


(3)  Fill  in  column  4,  Table  5-3,  i.e.,  rtnth. 
Round  off  to  1 decimal  place,  which  Is 
more  than  enough  accuracy. 


(4)  calculate  column  5,  Table  5-3,  by  Eq. 
5-29. 


ri  nn  = 4.3  X 40=  172 
r2  n2\  = 2.2  X 3 = 6.6 


r6  «53  =61  x 1=  6i  ] 

r6  n63  = 0.030  X 3 = 0.1 

wx  = 172+6.6  + 27 
= 206.6 

w2  = 30  + 207  + 77  + 39+  16 
+ 192  + 61  + 154  + 0.4 
= 776.4 

w3  = 11  + 5.4  + 1.9+  9.6 
+ 61  + 0.1 
= 89.0 


(5-31) 

(5-32) 


(5-33) 


(5-34) 


(5)  Calculate  W by  Eg.  5-30. 

(6)  Calculate  Ck  by  Eq.  5-28. 

(7)  Calculate  column  7b,  Table  5-3, 
tJT. 


W = 206  + 776  + 89 
= 1071 

Cx  =206/1071  = 0,192  \ 
C2  = 776/1071  = 0.725  > 
C3  = 89/1071  = 0.083  | 

i.e.,  t1fT  = 6 hr/6  hr  = 1 \ 

t2/T  = 5 hr/6  hr  = 0.833  J 
t3/T=  6 hr/6  hr  = 1 ) 


(5-35) 


(5-36) 

(5-37) 
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(8)  Fill  in  column  8,  Table  5-3,  utility  uk  , 
from  statement  of  the  problem. 

(9)  Calculate  the  A,,  for  column  9,  Tabl  ‘ 5-3, 
by  Eq.  5-2.  Round  of€  to  2 significant 
figures  in  the  table,  so  too  much  accuracy 
will  not  be  implied.  Place  unrounded 
values  in  parentheses  for  calculating 
column  10,  the  check  column. 


- 1 

= 0.57 
= 1 

- -----  X 10.31  per  lOOOhr 
1X1 

= 1.980  per  lOOOhr 


(5-38) 


0.725 

^2  = 0.833  X 0.57  X 1 0-31  per  1000 hr 
= 15.75  per  lOOOhr 


(5-39) 


(10)  Calculate  column  13,  ‘Table  6-3,  i.e., 

Uk  *h  ■ 


(11)  By  Eq.  5-1,  the  sum  of  column  10, 
Table  5-3, ought  to  be  equal  to  A sT. 


x = X 10.31  per  lOOOhr 

3 TYT 

= 0.8559 per  lOOOhr 


“x  A,  tj  - 1 X (1.980  per  lOOOhr)  X 6 hr 
= 0.01188 

u2A2t2  = 0.57  X (15.75per  lOOOhr)  X 5 hr 

= 0.04489 

u3A3t3  = lx  (0.8559per  lOOOhr)  X 6 hr 

= 0.00514  (5-40) 

sum  = 0.01188  + 0.04489  + 0.00514 


= 0.06190 
A sT  = — In  Rs 

= 0.06188 


(5-41) 


The  requirement  is  satisfied  within  the  accuracy  of  the  problem  statement. 

As  in  the  previous  example,  in  par.  5-2.4,  the  subsystem  s-reliability  is  not  calculated. 
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where 

w[,  = subsystem  rating 

W ~ system  rating 

r]l;  = rating  for  factor  i of  subsystem  k;i 
= 1 is  intricacy,  i = 2 is  state  of  the 
art,  i = 3 is  performance  time,  i = 4 
is  environment. 

Example  Problem  No.  5 illustrates  the 
procedure. 

5-2.6  REDUNDANT  SYSTEMS 

The  technique  described  so  far  in  par.  5-2 
can  be  used  to  allocate  reliability  without 
repair  for  simple  redundant  systems  consisting 
of  two  redundant  units.  Relationships  have 
been  developed  for  both  active  and  standby 
redundancy  by  calculating  an  equivalent  series 
failure  index  for  the  redundant  subsystem. 
Ref.  6 describes  the  procedure  and  gives 
graphs  for  calculating  seme  of  the  conversion 
factors.  The  Ref.  6 procedure  is  based  on 
finding  a common  multiplier  for  all  failure 
rates— even  those  in  redundant  systems.  This 
procedure  permits  the  use  of  the  basic  alloca- 
tion formulas  developed  for  series  systems. 

Before  jumping  into  the  allocation  prob- 
lem for  systems  that  contain  redundant  ele- 
ments, the  designer  must  ask  himself:  “What 
criterion  do  I want  to  use  in  this  allocation?”. 
The  allocation  in  par.  5-2.2,  where  previous 
failure  rates  are  known  or  estimated,  finds  a 
common  factor  (X,/A,,0m)  with  which  to 
multiply  all  failure  rates.  If  this  factor  is  ap- 
plied to  all  elements  in  a subsystem  that  con- 
tains redundancy,  the  system  failure  rate  will 
be  too  low. 

The  Example  Problem  No.  6 and  Table 
5-5  illustrate  the  situation.  The  formulas  for 
calculation,  and  the  notation  are: 


Rt=RARB  (5-52) 

Rb  =1-(1-jRBi)2  (5-53) 

RBj  = l (5-54) 

R = exp  (—  XT)  (5- 55a) 

AT  = — InR  (5-55b) 


P = (XT)„eut/<AT)oJd  (5-56) 


where 

s = subscript  denoting  system 
Afi  = subscripts  denoting  subsystems  .<4,5 

Bi  = subscript  denoting  elements  Bi,  i = 

1,2  (viz.,  B1032)  ~ 

R = s-Reliability 

X = failure  rate  of  an  element,  or  mean 
failure  rate  for  B and  s (over  mis- 
sion time  T) 

T = mission  time 

AT  = s-Expected  number  of  failures  dur- 
ing the  mission;  i.e.,  the  fraction  of 
times  the  item  will  fail,  when  a 
great  many  missions  are  considered. 

Eqs.  5-52,  5-53,  and  5-54,  where  subscripts 
are  shown,  are  true  only  for  those  subscripts; 
Eqs.  5-55  and  5-56  are  always  true. 

5-2.7  REDUNDANT  SYSTEMS  WITH  CON- 
STRAINTS 

A project  engineer  frequently  must 
commit  large  sums  of  money  for  the 
development  and  procurement  of  large  and 
complex  weapon  systems  (Ref.  6).  These 
procurements  often  must  take  place  within 
severe  time  and  budget  limitations.  Although 
the  budget  limitations  may  place  very  Severe 
restrictions  upon  the  final  system 
configuration,  the  project  engineer  is  under 
pressure  to  deliver  a system  that  has  high  per- 
fonnance  for  a given  cost  and  satisfies  epera- 
tLcral  requirements.  This  paragraph  considers 
several  methods  of  achieving  maximum  sys- 
tan  reliability  for  a given  set  of  constraints. 
Since  weapon  systems  are  complex,  the  inter- 
relaticnships  among  system  design  character- 
istics often  are  not  obvious;  therefore,  a 
methodical  approach  to  design  optimization  is 
required. 

The  allocation  methods  described  in  this 
paragraph  offer  the  engineer  a set  of  con-, 
venient  tools  that  are  relatively  easy  to  apply. 
They  are  algebraic  in  nature  and  can  be  solved 
using  a slide  rule.  However,  these  techniques 
cannot  be  applied  to  the  more  complex  prob- 
lem c£  designing  an  optimal  system  in  the  face 
c£  aenstraints, 
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Example  Problem  No.  5 

A mechanical-electrical  system  consists  of  the  following  subsystems:  propulsion,  ordnance, 
guidance,  flight  control,  structures,  and  auxiliary  power.  A system  reliability  of  0.90  in  120hris 
required.  Engineering  estimates  of  intricacy,  state  of  the  art,  performance  time,  and -environments 
can  be  made.  The  subsystems  and  their  ratings  are  described  in  Table  5-4,  columns  1-5.  Compute 
the  allocated  failure  rate  for  each  subsystem. 


Procedure  Example 

(1)  Compute  the  product  cf  the  ratings  r'  for  u;j=5X  6X5X5 
each  subsystem  and  their  sums — i.e.,  fill  = 750 

in  column  6,  Table  5-4— by  Egs.  5-45  and 
5-46. 


(2)  Compute  the  complexity  factors  C'k  for 
each  subsystem— i.e.,  fill  in  column  7, 
Table  5-4— by  Eq.  5-44. 


uig  = 6 X 5X5X5 
= 750 

W‘  = 750  + 840  + 2500  + 2240 
+ 640+  750 
= 7720 

C\  =750/7720 
= 0.097 


(3)  Compute  system  failure  rate  \ from 
system  specifications  by  Eq.  4-3;  R , = 
0.90  and  T=  120  hr. 


Ce  = 750/7720 
= 0.097 

= -In  0.90/120  hr 
= 878.0  per  106  hr 


(5-47) 


(5-48) 


(5-49) 


(4)  Compute  the  allocated  subsystem  failure 
rate  Xfc— i.e.,  fill  in  column  8,  Table 
5-4— by  Eq.  5-43. 


X,  =0.097  X /878.0per  106  hr) 
= 85. 17 per 106  hr 
X2  = 0.109  X (878.0 per  106  hr) 


(5-50) 


(5)  Round  off  failure  rates  Xfc  to  2 significant 

figures,  so  that  too  much  accuracy  will 

not  be  implied;  sun  and  compare  with 

Eq.  5-49. 


Xc  = 0.097 X (878.0per  106  hr)  1 
= 85.17  per  106  hr 

r = 85  + 96  + 280  + 250  + 73  + 85 
= 869  < 878 
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(1) 

Subsystem 

(2) 

Intricacy 

t 

r1 

(31 

State-of- 

theart 

1 

r2 

(4) 

Performance 

time 

f 

r3 

(5) 

Environment 

t 

r4 

(6) 

Overall 

rating 

wk 

(7) 

Complexity 

Ck 

(8) 

Allocated 
failure  rate 
(per  106  hours) 

1.  Propulsion 

5 

6 

5 

5 

750 

.097 

85 

2,  Ordnance 

7 

6 

10 

2 

840 

.109 

96 

3.  Guidance 

10 

10 

5 

5 

2500 

.324 

280 

4.  Flight  Control 

8 

a 

5 

7 

2240 

.290 

250 

5.  Structure 

4 

2 

10 

8 

640 

.083 

73 

6.  Auxiliary  Power 

6 

5 

5 

5 

750 

,097 

85 

Total 

7720 

1.000 

869 

System  ^-reliability  *0.90 

* 

t 

Mission  Time  = 120  hours 


Xf  * 878  per  1 0®  hours 
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Example  Problem  No . (3 


SYSTEM:  OLD 


Procedure 

^ State  the  given  quantities. 

(2)  Calculate  the  remainder  of  the  columns 
of  Table  5-5. 

Use  Eq.  5-55a  for  RA  . 

Use  Eq.  5-55afor  RB  . 

Use  Eq.  5-52  far  Rs . 

UseEq.  5-54  for  RB  r 
UseEq.  5-55b  for  (AT)Bl. 

UseEq.  5-55bfor  (AT),. 


Example 

(AT),  =0.0500  \ (5-57) 

(AT),  = 0.0500  i 

ra  = exp(— 0.05)  = 0.9512 
Rb  =exp(-0.05)  =0.9512 
Rs  =0.9512  X 0.9512  =0.9048 
RBi  = 1 - (1-0.9512)“  = 0.7792 
(AT)ti  = - In  0.7792  = 0.2495 
(AT),  = -In  0.9048  = 0.1000  (5-58) 


SYSTEM:  NEW  NO.  1 


(1)  State  the  given  quantities. 


(2)  Calculate  the  remainder  of  the  columns 
of  Table  5-5. 

UseEq.  5-55a  forRBr 
UseEq.  5-53  for  RB. 

Use  Etj.  5-55a  for  R,  . 

UseEq.  5-52  for  R,. 

Use  Eq.  5-5 5b  for  (XT),. 

UseEq.  5-65b  for(AT)B. 

Use  Eq.  5-56  for  p and  round  off  to  2 
significant  figures. 


(AT),  = 0.0500/2 
= 0.0250 

(XT)Bj  =0.2495/2 
= 0.1248 


(5-59) 


RBi  = exp(  — 0.1248)  =0.8827 
Rb  = 1 - (1-  0.8827)“  = 0.9862 
Ra  = exp(— 0.025)  = 0.9753 
R,  = 0.9753  X 0.9862=  0.96L8 
(AT),,  = -In  0.9618  = 0.0389  (5-60) 

(X T)b  = -In  0.9862  = 0.0139 
p,  = 0.0389/0.1  = 0.39 
Pat  = 0.1248/0.2495  = 0.50 


SYSTEM:  NEW  NO.  2 


(1)  State  the  given  quantities! 

(2)  Calculate  the  remainder  of  the  columns 
of  Table  5-5. 

Use  Eq.  5-55a  for/?^ 

EteBq.  5-55aforR,. 

UbeEq.  5-52  for R,. 

Use  Eq.  5-54  fori?Bi. 

UteEq.  5-5 5b  for  (XT),. 

Use  Fq.  5-55'b  for 

Ute  Eq.  5-56  for  p and  round  off  to  2 
sign  ificant  figures. 


(\T)a  = 0.0500/2  = 0.0250  ) (5-61) 

(AT)  ,=  0.0500/2  = 0.0250  / 


'Ra  = ex  p(— 0.0250)  = 0.9753 
Rb  = ex  p(— 0.0250)  = 0.9753 
R,  = 0.9753  X 0.9753  = 0.9512 
RBi=  1-  (1-  0.9753)"  = 0.8429 
(AT),  = -In  0.9512  =0.0500 
(AT),  f = -In  0-8429=  0.1709 
p,  = 0.0500/0.1  = 0.50 


p„i  = 0.1709/0.2495  = 0.68 
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The  analysis  that  follows  uses  the  tabulation  in  Table  5-5. 

The  factor  XT  is  the  s-expected  number  of  failures  in  a mission.  In  the  old  system,  those 
failures  are  evenly  split  between  A and  B.  The  elements  B 1 and  B2  have  5 times  the  failures  that 

A has. 

In  New  No.  l,the  failure  rates  for  the  elements  have  been  equally  improved,  by  design.  Now 
A has  2 times  the  failures  of  B,  i.e.,  B has  been  improved  more  than  A has. 

In  New  No.  2,  the  failure  rates  for  the  subsystems  have  been  equally  improved,  by  design. 
The  system  failures  are  evenly  split  between  A and  B,  as  in  the  old  system;  however,  B 1,  B2  only 
needed  their  failure  rates  reduced  to  68%of  the  old  value,  while  A needed  its  failure  rate  reduced 
to  50%  of  its  old  value. 

The  degree  of  imbalance  depends  on  the  kind  of  system  and  the  numbers  chosen  for 
illustration,  but  the  principle  remains:  there  is  no  one  “right”  way  to  allocate  reliability 
improvement  to  elements  of  redundant  systems. 

A quick-and-dirty  method  of  allocating  reliability  improvement  is  to  apply  the  system 
improvement  factor  to  each  element,  as  in  par.  5-2.2.  The  new  system  will  then  be  better  than 
needed.  Take  this  ' 'bonus"  and  allocate  it  to  the  series  subsystems  that  appear  least  capable  of 
meeting  the  improvement  goals.  With  the  widespread  use  of  engineering  calculators  for  small 
systems  and  computerized  calculations  for  large  systems,  the  trial-and-error  method  proposed 
here  is  quick  (no  special  formulas  are  needed)  and  is  good  enough. 

The  quick-and-dirty  method  will  be  illustrated  for  the  s*sten  in  Table  5-5.  Suppose  the 
system  is  to  have  its  failure  rate  halved. 


SYSTEM:  NEW  NO.  3 (“Quick  and  EUrt^"  Allocation) 


(1)  State  system  failure  reduction. 


(2)  Apply  the  reduction  factor  to  each 
element  of  the  systen  as  described  in  the 
steps  that  follow, 

(3)  Find  the  surplus  failures,  i.e., 

(*T)newNo.3-frT)newNoA  (5-64) 

(4)  Decide  on  the  basis  of  difficulty  of 
meeting  goals,  i.e.,  where  to  allocate  the 
surplus  failures.  Assume  the  element  B 1 
and  B2  will  be  difficult  to  improve; 
accordingly,  give  B about  2/3  and  A 
about  1/3. 


p,  = 0.50  | 

(AT),=  0.1000  X 0.50  J 
= 0.0500  ) 

See,  System:  New  No.  1 


0.0500  - 0.0389  = 0.0111 

extra  for  B = 0.0111  X (2/3) 

= 0.0074 

extra  for  A = 0.0111  X (1/3) 

= 0.0037 

(XT)fl  = 0.0139  + 0.0074 
= 0.0213 

( \T)a  = 0.0250+  0.0037 
= 0.0287 


(5-63) 


(5-64) 


(5-65) 
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(5)  Calculate  the  remainder  of  the  columns 

in  Table  5-5. 


Use  Eg;.  5-55afor-RA  . 

Ra  = exp(-0.0287)  = 0.9717 

Use  Eq.  5-55a  for  RB  . 

Rb  = exp( -0.021 3)  = 0.&789 

Use  Eq.  5-52  for#,. 

Rt  = 0-9717 X 0-9789=  0.9512 

Use  Eq.  5-55b  for  (KQ  r 

(XT)t  = —In  0.9512  = 0.0500 

Use  Eq.  5-54  for  Rgi. 

R f = 1 - (1-0.9789)“  = 0,8548 
(XT)* . = —In  0.8548=  0.1569 

[5-66) 

Use  Eq.  5-55b  for  (XT)Bi. 

p,  = 0.0500/0.1000  = 0.50 

Use  Eq,  5-56  for  p and  round  off  to  2 

• ■ 

significant  figures. 

• 

pBi  = 0.1569/0.2495  = 0.63 

The  problem  has  been  “solved”;  no  complicated  charts  or  theoiy  had  to  be  used;  and  the 
results  look  reasonable,  fll  and  B2  require  less  improvement  than  does  A,  and  the  system  goal  of 
50%reduction  in  XT  was  met. 

Whenever  redundancy  is  involved  in  a subsystem,  that  subsystem  will  not  have  a constant 
failure  rate,  nor  will  the  system.  The  allocations  of  XT  (or  of  X)  then  depend  somewhat  on 
mission  time.  This  is  another  reason  why  it  rarely  pays  to  use  anything  but  quick-and-dirty 
methods  of  allocation.  In  very  large  system,  the  calculations  will  be  long  and  tedious,  but  the 
principles  on  which  the  calculation  are  based  ought  to  be  simple. 


5-18 


TABLE  5-6.  COMPARISON  OF  IMPROVEMENT  STRATEGIES 


NAME 

OLD 

NEW#1 

NEW  #2 

NEW  ^3 

tyttem 

tub- 

i 

tyttem 

element! 

XT 

R 

XT 

R 

P 

XT 

R 

P 

XT 

R 

P 

,1000 

.9048 

,0389 

,9618 

.39 

.0500 

,9512 

.50 

.0500 

,9512 

,50 

A 

A 

.0500 

.9512 

,0250 

,9753 

.50 

,0250 

,9753 

.50 

,0287 

.9717 

.57 

B 

,0500 

.9512 

,0139 

,9862 

.28 

.0250 

.9753 

.50 

,0213 

,9789 

.43 

Bt 

.2495 

,7792 

.1248 

.8827 

.50 

,1709 

,8429 

.68 

.1569 

.8548 

,63 

B2 

.2495 

,7792 

,1248 

,8027 

.50 

.1709 

,8429 

.68 

,1569 

,8548 

.63 

New  #1:  Xnjw  -.’/a \old  for  the  elements 
New  #2:  X„#IV  * 'A\old  for  the  subsystems 

System  t has  2 subsystem  A,B  in  series. 

subsystem  8 has  2 elements,  81,  B2  in  active  (hot)  parallel  redundancy. 
Subsystem  A has  1 element,  itself. 


R - exp(— XT) 
where 

R = reliability  of  the  item 

fiT  = —In  R,  the  s-expected  number  of  failures  for  the  mission 
X = an  equivalent  failure  rate  for  the  mission  time  T 
P — O<T)n9yj/(KT)oi0  m^n«w^old 
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A number  cf  different  optimization  tech- 
niques are  available  that  work  well  for  many 
different  types  of  problems.  The  methods  are 
general;  however,  only  a limited  number  of 
variables  will  be  considered,  permitting  the 
use  of  simple  examples.  Also,  from  a practical 
point  of  view,  limiting  the  analysis  to  a few 
variables  results  in  mathematically  tractable 
problems  whose  results  can  be  visualized  by 
the  engineer. 

An  allocation  of  subsystem  reliability 
with  aonstraints  requires  the  existence  of  data 
or  formulas  that  relate  the  constrained  vari- 
ables to  reliability,  i.e.,  the  cost  (or  weight, 
etc.)  of  system  alternatives  of  different  reli- 
abilities must  be  computable.  This  is  usually 
the  area  of  greatest  uncertainty  in  system 
design,  and  the  cost  data  frequently  are  ob- 
tained by  means  of  a rough  guess.  Although 
the  techniques  described  are  general,  the  engi- 
neer must  keep  in  mind  the  fact  that  the 
results  produced  are  very  sensitive  to  the 
quality  of  the  input  data. 

5-2.7.1  Simple  Redundancy  Allocation  With 
a Single  Constraint 

As  the  complexity  of  weapon  systems 
increases,  their  reliabilities  tend  to  decrease. 
One  method  for  coping  with  this  problem  is 
to  design  reliable  systems  using  less  reliable 
subsystems  in  redundant  configurations. 

The  simple  technique  in  this  paragraph 
describes  a method  for  maximizing  system 
reliability  subject  to  a single  constraint  such 
as  cost;  it  also  can  be  extended  to  multiple 
constraints.  An  abundant  literature  has  been 
developed  that  describes  the  techniques  used 
for  redundancy  allocation,  such  as  Lagrange 
multipliers  and  dynamic  programming. 

Example  Problem  No.  7 illustrates  the 
procedure  (Refs. 7 to  23). 

5-2.7 .2  Dynamic  Programming  Allocation 

Dynamic  programming  allocation  (Ref. 
10)  is  another  useful  procedure  when  system 
reliability  must  be  allocated  to  the  subsystems 
in  the  face  of  constraints  on  such  factors  as 
weight  and  cost.  The  dynamic  programming 
approach  can  be  most  useful  because  it  can  be 


implemented  with  a simple  algorithm  that 
consists  of  only  arithmetic  operations.  Some 
advantages  of  the  dynamic  programming 
approach  are: 

(1)  Large  problems  can  be  solved  with  a 
minimum  number  of  calculations  (this  “mini- 
mum” may  be  very  large  for  a complex  sys- 
tem). 

(2)  There  is  always  a finite  number  of 
steps  required  in  computing'hn  optimum  solu- 
tion. 

(3)  There  are  no  restrictions  of  any  kind 
on  the  form  cf  the  functional  expressions  for 
computing  reliability  or  the  form  of  the  cost 
estimating  equations.  Nonlinear  functions  can 
be  used  if  required. 

The  dynamic  programming  algorithms 
provide  a guide  through  the  maze  of  possible 
alternate  calculations  that  may  arise  when  big 
systems  are  being  analyzed.  The  dynamic  pro- 
gramming approach  also  can  be  applied  to  the 
problem  of  reliability  optimization  of  redun- 
dant systems  with  repair.  The  use  of  the 
dynamic  programming  algorithm  does  not  in 
any  way  remove  the  requirement  for  comput- 
ing the  reliability  and  cost  for  each  system 
configuration.  However,  it  minimizes  the  total 
number  of  calculations  by  rejecting  those  con- 
figurations that  would  result  in  a decreasing 
reliability  or  in  costs  exceeding  the  cost  con- 
straints, etc. 

Many  algorithms  can  be  developed  to 
solve  dynamic  programming  problems.  Gener- 
ally, the  algorithm  chosen  should  be  the  one 
that  is  more  efficient,  i.e.,  finds  the  solution 
with  the  least  number  of  iterations.  For  any 
reasonably  large  system  a large  number  of  cal- 
culations are  required;  therefore,  the  engineer 
must  consider  using  the  computer  and  should 
consult  the  syslaa  programmers  to  find  what 
programs  are  readily  available. 

5-2.7.3  Minimization  of  Effort  Algorithm 

The  minimization  cf  effort  algorithm 
technique  (Ref.  24)  can  be  used  to  allocate 
reliability  requirements  to  the  subsystems  in  a 
way  that  minimizes  the  engineering  design 
effort  (cost,  man-hours,  etc.)  required  to 
achieve  overall  systan  reliability.  We  are  not 
applying  a constraint  to  cost  by  merely  trying 
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Example  Problem  No.  7 

A system  consists  of  four  subsystems  (called  stages)  whose  reliabilities  and  costs  are  known. 
The  overall  system  reliability  of  0.357  is  completely  unacceptable  for  anew  application  in  which 
at  least  0.99  is  required.  One  approach  to  achieving  the  system  requirement  is  to  add  active 
redundant  units  until  the  new  reliability  requirement  is  satisfied.  Unfortunately,  a cost  constraint 
of  $27,000  has  been  established.  What  system  configuration  maximizes  system  reliability  and 
satisfies  this  constraint? 


Procedure 


Example 


(1)  State  the  system  reliability  requirement. 

(2)  State  the  cost  restraint. 

(3)  Tabulate  the  predicted  cost,  reliability, 
and  unreliability  of  each  subsystem 
(stage). 

(4)  Define  a vector  rt  = (nx  ,n2,  ...,nn)  which 
is  called  the  constraint  vector  where  n,  = 
number  of  (extra)  redundant  units  in 
stage  i 

(5)  Define  the  cheapest  allocation  vector, 
i.e.,  the  one  with  no  redundancy. 

(6)  Add  a single  redundant  unit  to  each  stage 
in  succession,  generating  four  new  sys- 
tems each  of  which  has  a single  redundant 
unit  in  one  stage.  Compute  the  allocation 
vector  for  each. 

(7)  For  each  new  system  compute  the  term: 


(5-72) 


where 

Ca  = cost  of  each  unit  in  stage / 

Qj  = unreliability  of  each  unit  in  stage  i 
n = number  of  redundant  units  in  stage 

i 

n + 1 = total  number  of  units  in  stage  i 


(8)  Since  the  first  term  Tx  is  the  largest,  add 
a redundant  unit  in  stage  1 and  write  the 
allocation  vector. 

(9)  Compute  the  system  reliability  and  cost 
for  this  new  system : 

Rs  =(2RX  ~R*)R2  R3R4  (5-75) 


Rt  = 0.99 
Ce  = $27,000 

See  Table  5-6. 

(nt , n2,  rt3,  n4) 


rt0  = (0,  0,  0,  0) 

= (1,  0,  0,  0) 
if2  = (0,  1,  0,  0) 
if3  = (0,  0,  1,  0) 

= (0,  0,  0,  1) 

= 0.1494 

T^  = (i)  ln  o-of) 

= 0.1141  . 

r3  = (sx) ln  (l  ) 

= 0.0656 

= 0.0311 
*=(1,0,  0,  0) 


R = (2  X 0.80  -0.802)  X 0.7 
X 0.75  X 0.85 

= 0.428 


Cs=  2C,  + C2  + C3  + C4  (5-76) 


C,  = 2 X 1200  + 2300  + 3400 
+ 4500 

= $12,600 


(5-67) 

(5-68) 

(5-69) 

(5-70) 

(5-71) 


(5-73) 


(5-74) 

(5-77) 

(5-78) 
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(10)  Repeat  Steps  (6)  and  (7)  until  a system  ntl  = (2,  2,  1,  1) 
that  satisfies  reliability  requirement  and 

cost  restraint  is  obtained.  If  the  cost  re-  ft  = (2,  2,  2,  1) 
straint  is  exceeded  at  Rt  = 0.99,  then 
select  the  system  that  yields  the  highest 
Rc  within  the  cost  constraint.  In  this 
example,  the  computations  are  repeated 
until  systems  represented  by  the  follow- 
ing redundancy  allocation  vectors  are 
detained: 

(1  l)Compute  systen  reliability  and  cost  for 
each  of  these  systems: 


(5-79) 

(5-80) 


= [1  — (1  — -R i )3  ] [ 1 — (1  — R2)3] 


X [1-  (l_R3)2](l-  (i  -RJ*] 

(5-81) 

C.i  = 3Cj  + 3 C2  + 2C3  + 2 C4  (5-82) 

R,2  = [l-(l-.R1)*][l-(1-.Rl)3j 

X [l-(l-R3)3][i-(i_R4)2]  (5.83) 

c.2  =3Ci  + 3 C2+  3 C3  + 2 C4  (5-84) 


R,,  =0.8845  (5-85) 

C#1  = $26,300  (5-86) 


Rl2  =0.9288  (5-87) 

C,2  = $29,700  (5-88) 


The  system  represented  by  the  redundancy  allocation  vector  ft2  = (2,  2,  2,  l)exceeds  the 
cost  constraint.  The  system  represented  by  the  vector  t satisfies  the  cost  constraint;  however, 
the  system  reliability  fads  far  short  of  the  0.99  required.  The  technique  cf  redundancy  allocation 
is  not  sufficient,  and  a reliability  improvement  program  would  be  required. 
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TABLE  5-6 

COST  AND  RELIABILITY  DATA  ASSOCIATED 
WITH  EXAMPLE  PROBLEM  NO.  7 


STAGE 

cost 

($1000) 

RELIABILITY 

UNRELIABILITY 

1 

o 

II 

to 

0.80 

Qj  = 030 

2 

C21  = 23 

0.70 

Q2  = 030 

3 

C3i  = 3.4 

0.75 

Q3  = 035 

4 

C4l  =4-5 

0.85 

Q4  = 0.15 

to  minimize  it.  This  technique  is  useful  be- 
cause the  function  that  relates  engineering 
effort  in  terms  of  man-hours  or  cost  to  reli- 
ability need  not  be  known  exactly— but  it 
must  cbey  certain  basic  assumptions.  The 
technique  is  outlined  in  the  paragraphs  that 
follow. 

A system  consists  of  n subsystems, 
which  are  in  series  for  reliability  purposes. 
The  state-of-the-art  system  reliability  fts(t)  is 

Rs(t)  = R , (t)  • R2(t)  • RJt)  (5-89) 

The  system  must  be  redesigned  to  satisfy 
a new  reliability  goal  Rs{t),  where  R,(t) 
<Rs(t).  What  reliabilities  must  be  allocated  to 
the  subsystems  so  that  the  new  system  reli- 
ability is  achieved  and  the  overall  design 
effort  is  minimized? 

The  design  effort  is  expressed  in  terms  of 
an  effort  function  gt  (RS,&A  )•' 

g.(R.A)  =^giR,A)  (5-9°) 

Where  the  super  bar  denotes  “allocated 
value”.  Each  individual  subsystem  effort  func- 
tion is  a function  of  its  state-of-the-art  reli- 
ability Rj  and  allocated  reliability  Rf.  The 
required  system  reliability  Rf(t)  is  equal  to 
the  product  cf  the  allocated  subsystem  reli- 
abilities R,{t): 

^x(f)  * iMo  * ^s(')  — * K(t)  > R.(t) 

(5-91) 


‘[’he  effort  function  must  obey  the  fol- 
lowing assumptions: 

(1)  g(R;,R,}>0  (5-92) 

(2)  g(Rj,Rj)  is  nonincreasing  in  R for 
fixed  Rj  and  n’onincreasing  in  R.  for 
fixed  Rj. 

(3)  g(R„Rj)  +g(Ri,R'i)  =g(Ri,R] ) (5-93) 
where  /£,  < J*!,  < R\ 

(4)  g(0,Rj)  has  a*  derivative  h(Rj)  such 
that  RM^)  is  strictly  increasing  in 
the  interval  0 < Rt  <1. 

The  procedure  is  illustrated  by  means  cf 
the  Example  Problem  No.  8. 


5-3  SYSTEMSWITH  REPAIR 

For  repairable  systems,  the  subsystems 
effectiveness  parameters  (reliability,  avail- 
ability, MTFF)  cannot  be  derived  directly 
from  the  system  level  parameters.  Instead,  a 
set  of  subsystem  failure  and  repair  rates  is 
assumed,  and  the  system  level  effectiveness 
parameter  is  computed.  The  computed  result 
is  compared  with  the  requirement,  and  the 
subsystem  failure  and  repair  rates  are  modi- 
fied. This  process  is  repeated  until  the  system 
requirement  is  satisfied. 

The  system  effectiveness  requirement  can 
be  satisfied  with  a large  number  of  different 
sets  of  subsystem  failure  and  repair  rates  (all 
transition  rates  are  presumed  to  be  constant). 
Therefore,  engineering  judgment  must  be  used 
to  narrow  the  choice  of  values.  It  is  also 
possible  to  trade  off  failure  rates,  repair  rates, 
maintenance  strategies,  and  costs  in  achieving 
the  ^staxi  requirement.  The  problem  of 
allocating  subsystem  parameters  is  really  a 
problem  cf  trade-offs. 

5-3.1  AN  ELEMENTARY  APPROACH  TO 
STEADY-STATE  AVAILABI LITY 

The  elementary  problem  discussed  here 
illustrates  the  way  in  which  subsystem  failure 
and  repair  rates  can  be  allocated  to  satisfy  a 
system  availability  requirement.  Consider  a 
single  unit  whose  required  steady-state  avail- 
ability A,  is  specified. 
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Example  Problem  No.  8 


A system  consists  of  three  s-independent  subsystems.  A,  B,  C,  all  of  which  must  function 
without  failure  in  order  to  achieve  system  success.  The  predicted  subsystem  reliabilities  are  RA  = 
0.90,  Rb  = 0.80,  and  Rc  = 0.85,  which  results  in  a system  reliability  of  0.613.  A system 
reliability  requirement  of  0.70  is  established.  Allocate  reliability  to  each  subsystem  in  a manner 
that  minimizes  the  total  engineering  effort-  For  simplicity,  assume  identical  effort  functions  for 
the  three  subsystems . 


Procedure 

(1)  Stats  the  system  reliability  requirements 
and  the  number  of  subsystems. 

(2)  Arrange  the  subsystem  predicted  reli- 
abilities in  ascending  order. 


(3)  Allow  the  subscripts  of  the  predicted  reli- 
abilities to  take  on  the  following 
values:  B = 1,  C = 2,  A = 3 and  rewrite 
the  reliabilities. 

(4)  Compute  the  series  of  terms: 


R.(t) 


n RAt) 

i»y+i  1 


Hi 


where 


Example 

R,{t)  = 0.70  ) 

n = 3 f 

RB(t)  = 0.80  ) 

Rc(t)  =0.85  > 

Ra  (t)=  0.90  J 

Rx(t)~  0.80  ) 

R2(t)=0.85  > 

R3(t)  = 0.90  ) 


r m - ( 0-70 

riW  " \ 0.85  X 0.90  X 1.0 

= 0.915 

r m ( 0-70  V'2 

= \0.90  X 1.0/ 

= 0.882 
= 0.888 


(5-94) 

(5-95) 


(5-96) 


(5-99) 


K„  + i(0  = l (5-98) 

(5) .  Compare  the  following  pairs  of  values: 

R1(t),rl(t) 

R2(t),r2(t ) 
rs(0 

(6)  Define  the  largest  subscript  j such  that: 

RJ(t)<rj(t)  (5-100) 

(7)  The  allocated  subsystem  reliabilities 

RA  (0.  Rb  (f )»  and  Rc  (0  are: 

RA  (t)  = 0.90  (unchanged)  \ 

iJa(t)  = ^j(0  = r2(0  l (5-101) 

Rc(t)  = R2(t)  = r2[t)  J 

(8)  Check  the  allocation : 

R,(t)  = Ra  (i)  • RB(t)  ■ Rc(t)  (5-103) 


0.80  < 0.915 
0.85  < 0.882 
0.90  > 0.888 

j = 2,  because  2 is  the  largest  subscript  for 
which  Rj(t)  < rj(t). 


ZA(t)=  0.90  ) 

£B(*)=0-882  ) (5-102) 
Rc(t)  = 0.882  ; 

R,{t)=  0.90  X 0.882  X 0.882  ( 5-104) 

= 0.700 
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A 


= J L 
H + X 


1 

1 + (\/n) 


(5-105) 


where 

X = unit  failure  rate  (constant),  and 
M = unit  repair  rate  (constant). 


A given  availability  (Fig.  5-1)  can  be 
achieved  by  any  combination  of  failure  rate 
and  repair  rate  that  gives  the  same  ratio,  i.e.,  A 
and  n can  assume  any  value  provided  the  ratio 
is  fixed  to  give  the  required  availability.  Avail- 
ability can  be  increased  by  decreasing  the  fail- 
ure rate  or  increasing  the  repair  rate.  Con- 
straints can  be  applied  to  X,  or  ju,  or  both.  If 
costs  can  be  related  to  X and  ju,  a relatively 
complex  trade-off  must  be  performed,  even 
for  a simple  I -unit  system. 


( 1 )  A single  repairman  must  repair  any 
one  of  n identical,  s-independent  subsystems 
in  series.  The  ratio  of  failure  rate  to  repair 
rate  is  such  that  there  is  a strong  possibility 
that  a second  subsystem  will  fail  while  the 
first  one  is  being  repaired. 

(2)  Same  as  (1)  except  a repairman  is 
assigned  t o each  subsystem  and  can  only  work 
on  that  particular  subsystem. 

(3)  Same  as  (i)  except  some  inter- 
mediate number  of  repairmen  r less  than  the 
number  of  subsystems  is  assigned.  Any  repair- 
man can  work  on  any  system . 

(4)  Repeat  cases  (l)-(3)  with  noniden- 
tical subsystems. 

The  steady-state  availability  in  Case  (1) 
is: 


where 

V = subsystem  repair  rate 

X = subsystem  failure  rate 

n = number  of  subsystems  in  series. 

For  example,  if  n = 4 and  A,  = 0.90,the 
allocation  equation  becomes : 


0.90  (5-107) 


(« 

4 

1 

24 
mA  = 

1 +(f) 

38.9 

fifty 

! + iH 

ft) 

RATIO  ^ 

V 

FIGURE  5-1.  Steady-state  Availability  vs 
the  Ratio  of  Failure  Rate  to  Repair  Rate 2 6 


5-32  FAILURE  RATE  AND  REPAIR  RATE 
ALLOCATION  FOR  SERIES  SYS- 
TEMS 

Several  cases  can  be  considered: 


The  complexities  cf  allocating  failure  and 
repair  rates  for  even  simple  cases  are  apparent. 
If  the  subsystems  are  not  identical,  the  do- 
cation  must  be  solved  using  the  state  matrix 
approach  to  compute  availability. 

Case  (2)  represents  the  situation  in  which 
a repairman  is  assigned  to  each  subsystem.  It 
is  equivalent  to  the  condition  m which  p/\ 
» 1,  i.e.,  failure  rate  is  much  smaller  than 
repair  rate.  Since  this  is  true  of  many  systems, 
a wide  variety  of  practical  problems  can  be 
solved. 
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The  steady-state  availability  of  a series 
system  of  n identical,  s-independent  subsys- 
tems is 


5-3.4  FAILURE  AND  REPAIR  RATE  AL- 
LOCATIONS FOR  REDUNDANT 
SYSTEMS 


A.  = A,n  = 


1 + m) 


(5-1 08) 


where 

A,  = system  steady-state  availability 
Af  = subsystem  availability 
n = number  of  subsystems 

Example  Problem  No.  9 illustrates  the 
procedure. 

5-3.3  A SIMPLE  TECHNIQUE  FOR  ALLO 
CATING  STEADY-STATE  AVAIL- 
ABILITY TO  SERIES  SYSTEMS 

A procedure  similar  to  the  method  in  par. 
5-2.2  for  allocating  reliability  without  repair 
can  be  used  when  the  ratio  yJ  = X,/m;  <0.1 
for  subsystem;,  for  all  j.  The  accuracy  of  the 
method  increases  as  ys  decreases.  The  avail- 
ability of  a series  system  with  subsystems 
whose  failures  and  repairs  are  all  s-independ- 
ent is: 


N 

l + Er, 

/«  1 


(5-115) 


where 

jj  — ratio  for  subsystem  j with  all  y;  < 0.1 
n = number  of  subsystems  in  series 


A system  comprising  several  stages  cf  re- 
dundant subsystems  whose  A/m  ratio  is  less 
than  0.1  can  be  treated  as  if  the  stages  were 
s-independent.  The  system  steady-state  avail- 
ability A,  is 

A,  =At  * A2  • A3  • • • (5-131) 

where 

Aj  =the  availability  of  stagej. 

This  is  equivalent  to  treating  each  stage  as 
if  it  had  a repairman  assigned  to  it.  It  is  also 
equivalent  to  saying  that  a single  repairman  is 
assigned  to  the  system,  but  that  the  probabil- 
ity of  a second  failure  occurring  while  the 
first  is  being  repaired  is  very  small.  If  the 
stages  are  not  s-independent,  the  system  avail- 
ability must  be  computed  .by  the  state  matrix 
approach.  In  either  case,  the  system  require- 
ment can  be  obtained  with  a range  of  failure 
and  repair  rates.  Trade-offprocedures  must  be 
used  to  determine  the  best  set  of  these 
parameters. 

The  availability  of  a Systran  of  n identical 
units  where  at  least  m ofn  must  be  operating 
fix-  the  system  to  be  operating  is: 


A. 


1 

(A  + m)" 


£,(?) 


(5-132) 


where 


The  system  y,  : 

“ Ti  + 72  + * * * + 7 n (5-116) 

A relative  weighting  factor  Wf  can  be 
computed  from: 

(5-H7) 

The  new  system  is  similar  in  design  to  the 
old,  and  the  relative  weighting  factors  are  the 
same  for  each  new  subsystem. 

Example  Problem  No.  10  illustrates  the 
procedure. 


V = unit  repair  rate  (constant) 

A = unit  failure  rate  (constant) 
n = total  number  of  units 
m = minimum  number  cf  units  which  must 
be  up  for  the  system  to  be  up. 

Availabilities  can  be  computed  as  a func- 
tion cf  repair  rate  to  failure  rate  ratios  for 
systems  cf  up  to  five  redundant  units  in  par- 
allel using  Figs.  5-2 through  5-5  (Ref.  25). 

If  the  subsystems  in  the  stage  are  not 
identical,  state  matrix  techniques  can  be  used 
to  compute  availability. 
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Example  Problem  No.  9 

A system  consists  cf  three  identical,  s-independent  subsystems  connected  in  series.  The 
availability  requirement  is  0.99,  and  the  repair  rate  is  limited  to  0.3  per  hr.  What  is  the  minimum 
failure  rate  which  must  be  allocated  to  each  subsystem  to  satisfy  the  system  requirement?  A 
repairman  is  assigned  exclusively  to  each  subsystem. 


Procedure 

(1)  State  the  system  availability  requirement. 

(2)  Compute  the  availability  of  each  sub- 
system by  A,  = (As ) i/"  (5-110) 

(3)  For  each  subsystem  compute  the  ratio 
X/ju  by: 

fr-Jr-  i (5-U2) 

(4)  Compute  X by  Eq.  5-1 13  with  u - 0.3  per 
hr.  The  final  answer  is  rounded  c£f  to  2 
significant  figures  to  avoid  implying  too 
much  accuracy. 


Example 


A,  = 0.99 

(5-109) 

A,  = 0.991/3 

= 0.99666 

(5-111) 

X_  1 , 

H 0.99666  - 1 

(5-113) 

= G. 00336 

s:?:8°p3e3r6iS(ISi5perhr) 

(5-114) 

Case  (3)represents  a much  more  complex 
problem.  Availability  must  be  computed  using 
the  state  matrix  approach.  An  optimum  allo- 
cation requires  the  use  cf  dynamic  program- 
ming algorithms. 
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Examole  Problem  No.  10 


A system  consisting  cf  two  s-independent  subsystems  has  an  availability  of  0.90.  Subsystem 
1 has  an  availability  of  0.97,and  subsystem  2 has  an  availability  of  0.93.  A new  system,  similar  in 
design  to  this  one,  must  meet  a required  0.95  availability.  What  are  the  new  subsystem  availabil- 
ities and  ratios  of  failure- to-repair  rate? 


Procedure 


Example- 


(1)  State  the  availability  requirement  A,  of 
the  new  system. 

(2)  Compute  the  sum  ys  of  the  y-ratios  for 
the  old  system: 

y,,oid  =yi (5-ii9) 

(3)  Compute  the  relative  weights  W t by  Eq. 

5-117. 


A,  = 0.95 


7,.  oid  = 0.0309  + 0.0753 
= 0.1062 


Wx 


_ 0-0309 
” 0.1062 
= 0.291 


(4)  Compute  an  overall  ys  for  the  new  sys- 
tem by: 


(5-123) 


w _ 0,0753 
0.1062 

= 0.709 


7*  oihr  1 

= 0.0526 


(5-118) 

(5-120) 


(5-121) 


(5-122) 


(5-124) 


(5)  Compute  the  allocated  7;  for  each  subsys- 
tem of  the  new  design  by: 

yj  = WP,  (5-125) 


y1  = 0.291  X 0.0526 
= 0.0153 

f2  = 0.709  X 0.0526 
= 0.0373 


(5-126) 


(6)  Compute  the  availabilities  Aj  allocated  to 
each  subsystem  by: 


(5-127) 


1 + 0*0153 
= 0.985 

A2  = 1 + O.Wb 

= 0.964 


(5-128) 


(7)  Check  the  allocated  availability  A,  of  the 
new  system  by: 

A,  = AX  • A2  (5-129) 


A,  =0.985  X 0.964 
= 0.950 


(5-130) 


Since  the  allocated  ratios  are  known,  the  trade-off  studies  can  be  performed. 
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minimum  number  of  unns  which  must  be  up  for 
the  system  to  be  up. 
total  number  of  units 


m = minimum  number  of  units  which  must  be  up  for 
the  system  to  be  up. 
n = total  number  of  units 
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Reprinted  from  System  Reliability  Engineering  by  permit- 
rion. 
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Copyrighted  by  Prentice-Hall,  Englewood  Cliffs,  NJ..  1963. 
Reprinted  from  System  Reliability  Engineering  by  permis- 
sion. 


FIGURE  54.  Repair  Rate  to  Failure  Rate  Ratio  vs 
Unavailability  (n  = 4) 2 5 


FIGURE  5-5.  Repair  Rate  of  Failure  Rate  Ratio 
vs  Unavailability  (n  =5)2S 
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Example  Problem  No,  11 

A system  consists  of  five  identical,  s-independent  subsystems  connected  ±i  an  active  redun- 
dant configuration.  A system  availability  of  0.999  is  required.  Four  out  of  five  subsystems  must 
be  operating  for  the  system  to  be  up.  What  is  the  required  P A ratio? 


Procedure 


Example 


(1)  State  the  system  availability  requirement  _ 

Ay  — 0.999  (5-133) 

(2)  Compute  the  system  unavailability  Us 
by: 


U,  = 1 — A, 


(5-134) 


U = 1 - 0.999 

= 0.0010 


(5-135) 


(3)  Enter  Fig.  5-5  form  =4  and  Ut  = 0.0010, 
and  determine  p A . 


p A = ioo 


(5-136) 
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Example  Problem  No.  11  illustrates  the 
procedure. 

5-3.5  RELIABILITY  WITH  REPAIR  AND 
INSTANTANEOUS  AVAILABILITY 

In  general,  reliability  with  repair  and 
instantaneous  availability  only  can  be  com- 
puted using  the  state  matrix  approach.  Except 
for  very  simple  systems,  algebraic  expressions 
that  represent  reliability  without  repair  and 
instantaneous  availability  as  functions  of  sub- 
systems repair  failure  and  repair  rates  are 
extremely  cumbersome  and  cannot  be  manip- 
ulated readily.  The  engineer  must  define  the 
transition  matrix  of  the  system  in  order  to 
implement  these  procedures. 
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CHAPTER  6 HUMAN  FACTORS 


6 0 LIST  OF  SYMBOLS 


Cdf  = 
pdf'  = 

Pr{-}  = 
Pr{-|*  }•  = 

Sf  = 


Cumulative  distribution  function 
probability  density  function 
probability  of  . • . 
conditional  probability.  The  “I” 
is  read  as  “given  that”. 

Survivor  function:  Sf  = 1 — Cdf 


6-1  INTRODUCTION 

All  systems  of  concern  in  this  Handbook 
are  of,  by,  and  for  humans.  Analyses  of  the 
behavior  and  needs  of  humans  are  among  the 
more  controversial  of  the  sciences;  thus  it  is 
no  surprise  that  there  are  several  competing 
approaches  to  the  handling  and  identification 
of  people  problems.  Refs.  22  and  23  analyze 
some  of  these  approaches;  but  even  there, 
some  disagreements  exist  about  the  compar- 
isons themselves.  It  is  convenient  to  classify 
four  types  of  human  interactions  with  a sys- 
tem; the  classes  are  convenient,  but  not  sharp 
and  clear  cut: 

(1)  Design  and  production  of  a system 

(2)  Operators  and  repairers  as  mechan- 
ical elements  (human  engineering) 

(3)  CfrFTHtrxs  and  repairers  as  decision 
elements  (human  performance  reliability) 

(4)  Bystanders  (this  classification  is  not 
considered  further  because  it  is  largely  a safe- 
ty matter,  not  reliability). 

An  example  of  the  fuzziness  between  classes 
is  an  operator’s  having  to  decide  what  to  do, 
then  doing  it;  there  is  considerable  interaction 
between  the  two  activities. 

An  initial  appraisal  of  the  man/machine 
system  must  consider  such  aspects  as:  alloca- 
tion of  functions  (man  vs  machine),  auto- 
mation, accessibility,  human  tasks  and  their 
performance  metrics,  human  stress  character- 
istics, information  presented  to  the  human 
and  the  reliability  of  inferences  coupled  with 
the  decisions  on  the  basis  of  such  infor- 
mation, and  accessibility.  The  answers  to 
these  questions  and  the  study  of  man/ma- 
chine interactions  and  interfaces  fall  within 
the  field  variously  called  human  factors, 
human  engineering,  or  ergonomics  (Ref.  28). 


This  field  is  defined  in  MIL-STD-721  (Ref.  7) 
as:  “A  body  of  scientific  facts  about  human 

characteristics.  The  term  .covers  all  biomedical 
and  psychosocial  considerations;  it  includes, 
but  is  not  limited  to,  principles  and  applica- 
tions in  the  area  of  human  engineering,  per- 
sonnel selection,  training,  life  support,  job 
performance  aids,  anckrhuman  performance 
evaluation.” 

Human  factors  engineering  is  applied  to 
research,  development,  test,  and  evaluation  of 
systems  to  insure  efficient  integration  of  man 
into  the  system  environment.  This  integration 
is  intended  to  increase  and  preserve  human 
and  machine  performance  in  the  system  dur- 
ing operation,  control,  maintenance,  and  sup- 
port activities.  Human  engineering,  therefore, 
becomes  an  active  participant  in  the  system 
engineering  process  and,  consequently,  must 
be  weighed  against  safety,  reliability,  main- 
tainability, and  other  system  parameters  to 
obtain  trade-offs  providing  increased  system 
effectiveness.  During  the  concept  formulation 
phase,  human  factors  data  are  used  in  predic- 
tions of  system  effectiveness  and  for  initial 
function  allocation  studies.  Human  reliability 
studies  during  the  contract  definition  phase 
are  included  in  system  reliability  calculations, 
maintainability  time  and  performance  evalua- 
tions, system  and  subsystem  safety  analyses, 
and  specific  human  engineering  design  cri- 
teria. The  engineering  development  and  pro- 
duction phases  provide  specific  man/machine 
interactions  for  amplification  of  previous 
studies,  isolate  and  define  trade-off  and  inter- 
action problems  not  previously  identified,  and 
allow  verification  of  prior  design  decisions  on 
reliability,  maintainability,  safety,  and  other 
system  parameters  which  interact  with  human 
factors. 

An  annotated  bibliography  of  27  items 
taken  from  NTIS  reports  is  listed  in  Appendix 
C. 


6-2  DESIGN  AND  PRODUCTION 

On  the  average,  people  are  average.  This 
truism  is  often  forgottenby  systan  designers, 
planners,  and  managers-  Each  wants  to  have 
well-above-average  people  in  the  tasks  he  is 
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arranging.  System  designers  do  pay  some 
attention  to  this  problem  when  considering 
operators  and  repairers.  But  rarely  is  it  con- 
sidered in  the  design  and  manufacturing  areas, 
although  industrial  and  manufacturing  engi- 
neers do  deal  with  it  as  they  are  able  in  their 
constricted  region  of  operation. 

Beginning  with  the  conception  cf  a sys- 
tem, it  is  important  to  realize  the  limitations 
of  the  people  involved  all  through  the  life 
cycle.  Large  organizations  cannot  and  will  not 
change  rapidly,  even  though  there  is  a man- 
agement decree  that  the  change  will  occur. 
People  cannot  adequately  plan  complete 
changes  in  a way  of  life  or  of  work— there  are 
toomany  unknown,  unforeseen  factors. 

A system  and  its  subsystems  ought  to  be 
straightforward  to  design.  Interfaces  between 
subsystems  ought  to  be  as  simple  as  possible. 
The  more  complexity,  the  more  likely  fn-rres 
am  to  occur.  Checklists  are  a valuable  aid  to 
designers.  Design  reviews  and  other  product 
reviews  (Chapter  ll)help  to  overcomehuman 
limitations  by  putting  some  redundancy  in 
the  design  system. 

The  designer  of  an  equipment  needs  to 
consider  haw  it  will  be  produced;  e.g.,  what 
kinds  of  quality  control  will  be  necessary, 
what  machines/operators  will  actually  per- 
form a tadc.  Reducing  the  occasion  of  very 
similar  appearing  parts,  but  which  are  differ- 
ent, can  help  avoid  mistd<B5.  A design  that 
can  accept  looser  tolerances  might  be  better 
than  one  which  requires  tight  tolerances,  even 
though  the  latter  would  perform  better  if 
everything  were  right. 

The  designer  needs  to  consider  how  the 
equipment  actually  will  be  repaired  in  the 
field.  For  example,  if  a repair  when  done  right 
takes  about  8 hr,  and  when  done  almost-right 
takes  1 hr,  which  way  vail  it  be  done  under 
the  pressures  cf  understaffed  maintenance 
crews  many  of  whom  are  inexperienced?  One 
cannot  expect  that  field  service  personnel  will 
have  the  knowledge  about  the  systHn  that  the 
designers  have.  Even  where  the  situation  is 
understood,  the  officer-in-charge  under  the 
pressures  of  command  might  well  choose  to 
have  the  almost-right  repair  that  takes  only  I 
hr.  The  designer  must  always  keep  in  mind 
that  the  equipment  will  be  used  and  repaired 


by  ordinary  people  who  have  other  things  in 
mind  than  “babying”  the  equipment.  He  must 
realize  the  difference  between  what  people 

actually  will  do,  and  what  he  thinks  they 
ought  to  do. 

if  the  familiar  production  processes  in  a 
plant  will  have  to  change,  then  a quality  assur- 
ance effort  must  be  implemented  to  be  sure 
the  system  does  change  aq.d  that  it  changes 
correctly . 

A Cause-Consequence  chart  (Chapter  7 ) 
is  a good  tool  for  viewing  the  design-produc- 
tion process.  It  allows  one  to  look  at: 

(1)  What  can  go  wrong  (causes) 

(2)  How  likely  it  is  to  go  wrong 

(3)  What  happens  when  it  does  go  wrong 
(consequences) 

(4)  How  to  alleviate  the  severe  conse- 
quences. 

Anywhere  people  are  involved  in  doing  some- 
thing, the  Cause-Consequence  chart- even  a 
very  simple  one— can  help  locate  potential 
people  problems. 

System  planners  should  be  aware  of  the 
impact  of  administrative  policies  on  the  reli- 
ability of  systems.  In  Ref.  10  it  is  shown  that 
many  reported  failures  were  not  the  result  of 
either  faulty  design  or  human  error  (for  the 
Air  Force  F-106  avionics  systems) , but  were 
“required”  by  the  procedural  environment. 
Ref.  10  ought  to  be  read  by  every  system 
planner. 

6-3  HUMAN  ENGINEERING 

This  area  deals  largely  with  motor  re- 
sponses of  operators  and  with  varied  human 
physical  capabilities.  Itefs.  1-6  cover  this 
area  adequately.  Typical  constraints  are  that: 

(1)  An  operation  ought  to  be  wi-thin  the 
physical  capabilities  of  the  central  95%  of  the 
potential  operators, 

(2)  A person  is  not  required  to  do  some- 
thing that  his  coordination  will  not  allow  him 
to  do,  e.g.,  something  akin  to  patting  his  head 
with  the  left  hand  while  rubbing  his  chest 
with  the  right  hand. 

(3)  Beal  people  cannot  easily  use,  read, 
and  ’respond  to  centrals  and  displays,  espe- 
cially in  times  cf  psychological  stress. 
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Mock-ups  under  realistic  conditions  are 
very  helpful  in  uncovering  forgotten  con- 
straints. For  example,  if  an  equipment  must 
be  used  at  night  in  extremely  cold  weather, 
have  a person  try  to  use  it  in  a freezing,  poor- 
ly lit  room  for  several  hours. 

Military  standards,  regulations,  specifica- 
tions, and  other  publications  contain  guide- 
lines, policies,  and  requirements  for  human 
factors  and  human  engineering.  For  example. 
Army  requirements  and  policies  for  human 
engineering  programs  are  presented  in  Refs. 
8-10.  MILSTD-1472  (Ref.  1),  the  MIL 
STD-803  series  (Refs.  2-4),  and  MIL-H- 
46855  (Ref.  5)  give  design  criteria,  require- 
ments, and  definitions  for  human  engineer- 
ing in  military  systems.  Standardization, 
automation,  visual  and  auditory  displays, 
controls,  labeling,  workspace  design,  main- 
tainability, remote  handling  devices,  safety 
hazards,  and  environmental  requirements  are 
some  of  the  subjects  treated  in  these  sources 
(Refs.  1-5).  Definitions  of  human  factors 
terms  are  also  found  in  MTLSTD-721  (Ref. 
7). 


6-4  HUMAN  PERFORMANCE  RELI- 
ABILITY 

The  analysis  of  human  factors  recognizes 
that  both  human  and  machine  elements  can 
fail,  and  that  just  as  equipment  failures  vary 
in  their  effects  on  a system,  human  errors  can 
also  have  varying  effects  on  a system.  In  some 
cases,  human  errors  result  fran  an  individual’s 
action,  while  others  are  a consequence  of 
^sten  design  or  manner  of  use.  Some  human 
errors  cause  total  system  failure  or  increase 
the  risk  of  such  failure,  while  others  merely 
create  delays  in  reaching  system  objectives. 
Thus,  as  with  other  system  parameters, 
human  factors  exert  a strong  influence  on  the 
design  and  ultimate  reliability  of  all  systems 
having  a man/machine  interface.  A good  sum- 
mary and  critical  review  of  human  perfor- 
mance reliability  predictive  methods  is  given 
in  Ref.  22  which  is  a summary  of  Ref.  23. 
Both  references  contain  excellent  bibli- 
ographies. Table  6-1  is  taken  from  Ref.  22 
and  lists  the  available  predictive  methods- 


TABLE  6-1.  LIST  OF  PREDICTIVE  METHODS 


OPERABILITY  METHODS 

A.  Analytic 

'1.  American  Institute  for  Research  (AIR)  Data 
Store 

'2.  THERP-Technique  for  Human  Error  Rate 
Prediction 

'3.  TEPPS-Technique  for  Establishing  Personnel 
Performance  Standards 

4.  Pickrel/McDooald  Method 

5.  Berry-Wulff  Method 

6.  Throughput  Method 

7.  As k re n /R eg u I inski  Method 

8.  DEI-Display  Evaluative  Index 

9.  Personnel  Performance  Metric 

10.  Critical  Human  Performance  and  Evaluative 
Program  (CHPAE) 

B.  Simulation 

*1.  Digital  Simulation  Method 

2.  TACDEN 

3.  Boolean  Predictive  Technique 
*4.  HOS-HumanOperatorSimulator 

'5.  ORACLE-Operations  Research  and  Critical  Link 
Evaluator 

MAINTAINABILITY  METHODS 

1.  ERUPT-Elementary  Reliability  Unit  Parameter 
Technique 

*2.  Personnel  Reliability  Index 

'3.  MIL-HDBK  472  Prediction  Methods 


‘Methods  described  in  Ref.  22.  References  to  all  methods 
are  given  in  Ref.  22. 


In  the  initial  evaluation  of  a design,  the 
man/machine  system  can  be  put  into  clearer 
perspective  by  answering  the  following  two 
questions : 

(1)  In  the  practical  environment,  whichr 
cf  the  many  characteristics  that  influenae 
human  performance  are  truly  important; 
which  must  be  included  in  the  design;  and 
under  what  circumstances  is  each  character- 
istic important? 

(2)  What  effect  will  including  cr  exclud- 
ing particular  characteristics  have  on  the 
design  of  the  system? 
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6-4.1  THE  RELATIONSHIP  BETWEEN  HU- 
MAN FACTORS  AND  RELIABILITY 


Both  reliability  and  human  factors  are 
concerned  with  predicting,  measuring,  and 
improving  system  performance.  System  fail- 
ures are  caused  by  human  or  equipment  mal- 
functions. Thus,  system  reliability  must  be 
evaluated  from  the  viewpoint  that  the  sys- 
tem consists  not  only  of  equipment  and  pro- 
cedures, but  also  includes  the  people  who 
use  them.  The  reliability  engineer  must 
analyze  and  provide  for  reliability  in  the 
equipment  and  procedures,  and  also  must 
work  closely  with  the  human  factors  engi- 
neer to  identify  and  plan  for  human  reliabil- 
ity factors  and  their  effects  on  the  overall 
system  reliability.  Similarly,  the  human  fac- 
tors engineer  is  concerned,  from  the  reliabil- 
ity viewpoint,  with  the  reliability  of  humans 
in  performing  or  reacting  to  equipment  and 
procedure  activities,  and  the  effect  that 
system  reliability  will  have  on  human  activi- 
ties. When  the  man/machine  interface  is 
complex,  for  example,  the  possibility  of 
human  error  increases,  with  an  accompany- 
ing increase  in  the  probability  of  system  fail- 
ure due  to  human  error.  Of  particular  con- 
cern to  the  reliability  and  human  factors 
engineers  are  the  frequency  and  modes  of 
human  failures,  and  the  degree  of  adverse 
effect  of  human  failures  on  the  system.  One 
obvious  approach  to  eliminating  failures  due 
to  human  error  is  to  replace  the  human  by  a 
machine.  This  approach,  however,  must  con- 
sider the  complexity,  reliability,  interactions 
with  other  equipment,  cost,  weight,  size, 
adaptability,  maintainability,  safety,  and 
many  more  characteristics  of  a machine  re- 
placement for  the  human.  An  interesting 
facet  cf  the  human  factors/reliability  rela- 
tionship (and  which  also  concerns  the  main- 
tainability engineer)  is  that  the  continuation 
cf  the  system  designed-in  reliability  depends 
upon  the  detection  and  correction  cf  mal- 
functions. This  task  usually  is  assigned  to 
humans.  Thus,  system  performance  can  be 
enhanced  or  degraded,  depending  upon 
whether  or  not  the  malfunction  information 
is  presented  so  that  it  is  understood  readily. 
By  studying  human  response  to  various 
stimuli  (audio,  visual,  etc.),  the  human  fac- 


tors engineer  provides  valuable  guidance  in 
the  design  cf  system  malfunction  indicators. 
Ref.  11  contains  additional  information  on 
human  reliability  and  includes  methods  for 
collecting,  analyzing,  and  using  system  fail- 
ure data  in  quantitative  approach  to  human 
reliability.  A study  of  the  feasibility  of 
quantifying  human  reliability  characteristics 
and  subsequent  developmeat  of  a method- 
ology for  quantifying  human  performance, 
error  prediction,  control  and  measurement 
are  discussed  in  Refs.  12-14,  30  , 32-35. 
Ref.  31  is  a comprehensive  abstract  of 
human  performance  measures. 

64.2  HUMAN  FACTORS  THEORY 

Basically,  human  behavior  is  a function 
of  three  parameters  (Ref.  29): 

(1)  Stimulus-Input  (S).  any  stimuli, 
such  as  audio  or  visual  signals,  failure  indica- 
tions, or  out-of-sequence  functions  which  act 
as  sensory  inputs  to  an  operator. 

(2)  Internal  Reaction  (O).the  opera- 
tor’s act  of  perceiving  and  interpreting  the  S 
and  reaching  a decision  based  upon  these  in- 
puts. 

(3)  Output-Response  (R),  the  operator’s 
response  to  S based  upon  O. Talking,  writing, 
positioning  a switch,  or  other  responses  are 
examples  of  R . 

All  behavior  is  a combination  of  these 
three  parameters,  with  complex  behavior 
consisting  of  many  S—O—R  chains  in  series, 
parallel,  or  interwoven  and  proceeding  con- 
currently. Each  element  in  the  S—O—R 
chain  depends  upon  successfully  completing 
the  preceding  element.  Human  errors  occur 
when  the  chain  is  broken,  as,  for  example, 
when  a change  in  conditions  occurs  but  is 
not  perceived  as  an  S;  when  several  S’s  can- 
not be  discriminated  by  the  operator;  when 
an  S is  perceived  but  not  understood;  when 
an  S is  correctly  recognized  and  interpreted, 
but  the  correct  R is  unknown  (i.e.,  operator 
cannot  reach  a decision,  or  complete  O) ; 
when  the  correct  R is  known  but  is  beyond 
the  operator’s  capabilities  (i.e.,  qperator 
completes  O but  cannot  accomplish  R);  or 
when  the  correct  R is  within  the  operator’s 
capabilities  but  is  incorrectly  performed. 
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Human  factors,  reliability,  safety,  main- 
tainability, and  other  system  engineering 
elements  must  be  directed  to  a system  design 
that  contributes  to  proper  operator  responses 
by  creating  perceivable  and  interpretable 
stimuli  requiring  reactions  within  the  opera- 
tor’s capabilities.  Feedback  Ought  to  be  incor- 
porated into  the  design  to  verily  that  operator 
responses  are  correct.  In  other  words,  equip- 
ment characteristics  should  serve  as  both 
input  and  feedback  stimuli  to  the  operator. 
These  relationships  between  human  and 
equipment  elements  are  depicted  in  Fig.  6-1. 

6-4.3  MAIM/MACHINE  ALLOCATION  AND 
RELIABILITY 

The  functional  block  diagrams,  allocation 


of  task  error  rates,  mathematical  modeling  of 
performance,  prediction  of  performance  reli- 
ability, and  validation  are  applied  to  human 
subsystems  in  much  the  same  manner  as  in 
the  reliability  of  hardware  subsystems, 
Stochastic  modeling  and  quantification  of 
human  performance  reliability  can  be  done  in 
either  time-discrete  car  time-continuous 
domains.  Particularly  useful  techniques  are: 

(1  ) Data  generation  and  processing,  in- 
cluding tests  of  randomness,  stationarity, 
and  ergodicity 

(2)  Failure  modes  and  effects  analysis 
(Chapter  8) 

(3)  Parameter  variation  analysis  (Chap- 
ter 10) 

(4)  Cause-Consequence  charts  (Chapter 

7) 


Inputs  (other  personnel) 


Outputs 
(other  equipment) 


Outputs 


(effects  on  the 
equipment  itself) 


Feedback 


Verbal  and  Other 
Responses 


FIGURE  6-1.  The  Man/Machine  Interaction .8 
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(5)  Estimation  of  suitable  distributions 
for  random  variables 

(6)  Decisionmaking  methods  such  as 
hypothesis  testing,  multiple  decision  and 
sequential  testing,  and  formulating  rules  for 
strategies. 

Many  of  these  techniques  are  discussed  in 
greater  detail  in  Refs.  25,  36-41, 

Reliability  cf  asystem  is  affected  by  the 
allocation  (not  necessarily  quantitative)  of 
system  functions  to  either  the  man,  the  ma- 
chine, or  both.  Table  6-2  lists  some  of  the 
salient  characteristics  of  the  humans  and 
machines  which  are  pertinent  to  the  alloca- 
tion choice.  As  is  evident  from  studying  Table 
6-2,  the  prediction  of  human  reliability  is 
more  difficult  than  the  prediction  of  machine 
reliability.  The  machine's  insensitivity  to 
extraneous  factors  (Item  10  in  Table  6-1) 
versus  the  human's  sensitivity  to  these  factors 
is  one  consideration,  leading  to  human  perfor- 
mance variability  and  the  subsequent  capa- 
bility to  predict  machine  reliability  more  pre- 
cisely. In  fact,  a human's  response  can  be  suf- 
ficiently influenced  to  vary  from  0.0001  to 
0.9999  reliability  within  conditions  that 
would  not  affect  a machine.  The  machine,  for 
example,  does  not  react  to  environments  of 
combat  which  could  produce  severe  psycho- 
logical stress  and  breakdown  in  a human. 
Since  the  trade-off  depends  partly  on  the 
nature  of  the  system.  and  human  functions 
and  partly  on  the  way  the  allocation  problem 
is  approached,  each  design  situation  requires  a 
separate  human  factors  analysis,  Such  vari- 
ables as  cost,  weight,  size,  hazard  levels, 
adaptability,  and  state  of  technology  must  be 
considered  for  each  system. 

One  approach  to  the  choice  between  man 
and  machine  is  to  compare  the  predicted  reli- 
abilities of  each.  This  approach,  however, 
should  not  be  based  solely  on  failure  rates, 
since  humans  are  sufficiently  adaptable  to 
recover  quickly  and  correct  some  human- 
induced  malfunctions.  Similarly,  humans  have 
the  flexibility  to  handle  unique  situations  that 
might  cause  ^sten  failure  if  an  unadaptable 
machine  were  assigned  the  task.  An  approach 
based  on  reliability  ocirparisons  ought  to  use 
failure  rates  in  conjunction  with  an  analysis  of 
man/machine  characteristics  and  the  desired 
task  accomplishments. 


Another  approach  to  man/machine  allo- 
cation is  illustrated  by  Fig.  6-2.  This  approach 
has  three  general  steps: 

(1)  Develop  a predictiqn  model. 

(2)  Generate  Tbdc  Equipment.  Analysis 
(TEA)  data. 

(3)  Predict  man/machine  reliability  using 
the  TEA  data  as  inputs  to  the  prediction 
model. 

The  predictive  model  can  be  developed  in 
either  the  time-discrete  or  time-continuous 
domains,  depending  on  the  nature  of  the 
human  task.  The  human  performance  reliabil- 
ity is  defined  as  (Ref.  42): 

(1) Pr{task  performance  without  error  1 
stress} (discrete) 

(2) /Y{task  performance  without  error  in 
an  increment  of  time  I stress}  (continuous). 

Embodied  in  the  stress  is  the  totality  of  all 
factors  — psychological,  physiological,  and 
environmental— which  affect  human  perfor- 
mance- 

For  discrete  tasks  such  as  pushing  a but- 
ton or  throwing  a lever, 'the  task  random  vari- 
able has  only  discrete  values  (often,  the  posi- 
tive integers).  The  reliability  of  some  discrete 
repetitive  task  (assuming  that  the  trials  are 
s-independent  and  have  the  Same  probability) 
can  be  estimated  simply  as  the  fraction  of  the 
trials  which  are  a success.  The  discrete  human 
performance  unreliability  sometimes  can  be 
approximated  by  the  error-rate  multiplied  by 
the  tiirE-interval  (Ref  ,24). 

The  time-continuous  quantification  of 
human  perfonnance  reliability  is  applied  to 
such  tasks  as: 

(1)  Tracking  a signal  displayed  on  a 
Screai 

(2)  Manually  controlling  the  pitch,  roll, 
and  yaw  of  an  aircraft 

(3)  Performing  a vigilance  task  which 
might  require,  for  example,  the  detection  of 
the  presence  (or  absence)  of  a specified  event. 
In  ■this  type  of  task,  the  random  variable  is 
continuous  in  time  over  some  domain. 

The  time-to-error  has  a random  distri- 
bution, just  as  time-to-failure  of  hardware; 
this  distribution  will  have  apdf,  Cdf,  Sf,  and 
failure  rate  (enor  rats).  Depending  on  the 
specific  task,  a measure  of  human  perfor- 
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TABLE  6-2.  CHARACTERISTICS  OF  HUMANS  AND  MACHINES8 


Characteristics  Tending  to 

Favor  Humans 


1 . Ability  to  detect  certain  forms  of  energy. 

2.  Sensitivity  to  awide  variety  of  stimuli 
within  a restricted  range. 

3.  Ability  to  perceive  patterns  and  general- 
ize aboutthem 

4.  Ability  to  detect  signals  (including 
patterns)  in  high  noise  environments. 

5.  Ability  to  store  large  amounts  of  informa- 
tion for  long  periods  and  to  remember 
relevant  facts  at  the  appropriate  time. 

6.  Ability  to  use  judgment. 

7.  Ability  to  improvise  and  adopt  flexible 
procedures. 

8 Ability  to  handle  low  probability  alter- 
natives (i.  e.  unexpected  events). 

9.  Ability  to  arrive  at  new  and  completely 
different  solutions  to  problems. 

10.  Ability  to  profit  from  experience. 

11.  Ability  to  track  in  a wide  variety  of 
situations. 

12.  Ability  to  perform  fine  manipulations. 

13.  Ability  to  performwhen  overloaded. 

14.  Ability  to  reason  inductively . 


Characteristics  Tending  to 
Favor  Machines 


1.  Monitoring  men  or  other  machines. 

2.  Performance  of  routine,  repetitive,  precise 

tasks.  « 

3.  Responding  quickly  to  control  signals. 

4.  Exerting  large  amounts  of  force  smoothly 
and  precisely. 

5.  Storing  and  recalling  large  amountsof 
precise  data  for  short  periods  of  time. 

6.  Computing  ability. 

7.  Range  of  sensitivity  to  stimuli. 

a.  Handling  of  highly  complex  operations 
(i.  e,  doing  many  different  things  at  once). 

9.  Deductive  reasoning  ability. 

10.  Insensitivity  to  extraneous  factors. 


x 


mance  reliability  might  be  mean  time-to-first- 
error,  mean  time-to-error,  median  time-be- 
tween-errorS)  or  something  snmlar.  Numerous 
other  measures  similarly  can  be  formulated. 
Fof-  example,  because  of  the  capacity  cf  the 
human  to  correct  self-generated  errors,  it  is 
germane  to  model  some  performance  function 
related  to  error  correction.  In  Ref.  24  such 
performance  measure  is  formulated  as  correct- 
ability  and  defined  as: 

Pr  {Completion  of  task  error  correction  in 


a certain  time  | stress}.  The  time-to-task- 
errorcorrection  is  analogous  to  time-to-repair 
and  has  a random  distribution  (and  of  course, 
all  the  descriptions  of  such  a distribution): 
Refs.  12,  23,  27  provide  a comprehensive 
treatment  of  man-machine  reliability  model- 
ing in  this  context. 

Examples  cf  numerical  evaluation  cf 
these  probabilities  are: 

(1)  The  human  subsystem  (operator)  is 
required  to  interconnect  two  machines  in  a 
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FIGURE  6-2.  Predicting  Man/Machine  Reliability’7 


decision  sense.  From  TEA  data  it  is  deter- 
mined that  the  probability  of  a successful 
interconnection  on  a single  triaL  is  10% — a 
very  difficult  task. 

(2)  Radar  operators  who  are  tracking 
multiple  target  signals  have  two  types  c£ 
errors:  missing  a target  which  is  displayed,  or 
false  alarming.  TEA  data  might  show  that  the 
time-to-first-false-alann  is  lognormally  distri- 
buted. As  shown  in  Part  Six,  Mathematical 
Appendix  and  Gbossaxy, ihc  parameters  of  the 
distribution  could  be  estimated  (along  with 
their  uncertainties)  from  some  sample  data. 
The  median  Jtime-to-first-false-alarm  could 
then  be  calculated,  as  could  any  other  point 
on  the  distribution. 


64.4  INTERACTIONS  AND  TRADE-OFFS 

The  principal  determinant  of  “/ma- 
chine performance  is  the  complexity  of 
human  tasks  within  the  system.  A system 
design  that  requires  frequent  and  precise  ad- 
justments by  an  operator  may  create  reli- 
ability problems  associated  with  wear-out  or 
maladjustment  c£  the  control  device,  or 
maintainability  problems  from,  repeated  re- 
placement cf  the  worn  control.  On  the  other 
hand,  3 design  providing  an  automatic  ad- 
justing meciiariisri  may  cause  problems  of 
cost,  weight,  size,  reliability,  maintainability, 
or  safety  due  to  the  control’s  complexity. 
Similarly,  for  the  Same  level  of  effectiveness. 
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a system  that  through  design,  location,  or 
environment  is  difficult  to  repair  must  neces- 
sarily be  made  more  reliable  than  a system 
with  a less  complex  man/machine  interface. 
Thus,  the  man/machine  interaction  can  con- 
tribute to,  or  detract  fran,  the  effectiveness 
of  other  disciplines  depending  upon  trade- 
offs and  interactions  selected  during  the 
system  engineering  process. 

Refs.  6,  18-21  give  additional  design 
guides  and  approaches  for  solving  human 
factors  problems  and  trade-offs  with  other 
disciplines.  A valuable  consideration,  the  use 
of  human  factors  information  by  designers, 
is  discussed  and  illustrated  with  tests  and 
examples  in  Refs.  15-17. 

6-4.5  THERP  (TECHNIQUE  FOR  HUMAN 
ERROR  RATE  PREDICTION) 

The  human  performance  reliability  model 
developed  at  Sandia  Laboratories  is  defined  as 
(Ref.  42): 

"THERP  is  a method  to  predict 
human  error  rates  and  to  evaluate  the 
degradation  to  a man-machine  system 
likely  to  be  caused  by  human  errors  in 
association  with  equipment  function- 
ing, operational  procedures  and  prac- 
tices, and  other  system  and  human 
characteristics  which  influence  system 
behavior.” 

There  are  five  steps  in  applying  the 
model. 

(1)  Define  the  system  failures  (conse- 
quences). Work  with  the  failures  one  at  a 
time. 

(2)  List  and  analyze  the  human  opera- 
tions related  to  each  failure  (task  analysis). 

(3)  Estimate  the  appropriate  error  prob- 
abilities. 

(4)  Estimate  the  effects  of  human  errors 
on  the  system  failure.  Usually  the  hardware 
characteristics  will  have  to  be  considered  in 

the  analysis. 

(5)  Recommend  changes  to  the  man/ma- 
chine system  and  return  to  Step  2. 

Ref.  42  summarizes  and  explains  the 
THERP  model  (and  extolls  its  virtues).  Ref. 
43  is  an  annotated  bibliography  of  the  Sandia 
Laboratories  work  in  this  area  and  will  be 


very  helpful  to  anyone  trying  to  estimate  the 
effects  of  human  frailty  on  a system.  It  lists 
44  sources  of  further  information. 
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CHAPTER  7 CAUSE-CONSEQUENCE  CHARTS 


7-1  INTRODUCTION 

A Cause-Consequence  chart  shows  the 
logical  relationships  between  causes  (events 
which  are  analyzed  in  no  more  detail)  and 
consequences  (events  which  are  of  concern 
only  in  themselves,  not  as  they  in  turn  af- 
fect other  events).  The  chart  usually  is  repre- 
sented with  consequences  at  the  top  and 
causes  at  the  bottom;  and  the  words  Top 
and  Bottom  have  come  into  common  use  to 
describe  those  portions  of  the  chart.  A ESil- 
ure  Modes  and  Effects  Analysis  (FMEA) 
deals  largely  with  the  bottom  part  of  the 
chart.  A fault  tree  is  a part  of  a Cause-Con- 
sequence chart.  It  consists  of  only  one  con- 
sequence and  all  its  associated  branches.  The 
remainder  of  this  chapter  deals  mostly  with 
fault  trees.  The  Cause-Consequence  chart  is 
created  by  superimposing  the  separately 
created  fault  trees.  The  Cause-Consequence 
chart  can  be  used  to  organize  one's  knowl- 
edge about  any  set  of  causes  and  their  con- 
sequences; its  use  is  not  limited  to  hard- 
ware-oriented systems. 

- The  principles  of  fault  tree  creation  are 
straightforward,  and  easy  to  grasp.  The  nota- 
tion to  be  used  and  the  discipline  to  be  fol- 
lowed ought  to  be  learned  before  trying  to 
create  a fault  tree  for  a system.  The  practice 
of  Fault  Tree  Analysis  is  tedious,  extremely 
time  consuming,  and  most  profitable.  Ordi- 
narily, it  is  done  in  conjunction  with  an 
FMEA  (see  Chapter  8)  because  both  of  the 
analyses  deal  with  causes  and  consequences. 
The  bookkeeping  aspects— viz.,  the  keeping 
track  of  each  item,  its  states  (conditions) 
which  are  to  be  considered,  and  its  place  in 
the  hierarchy-are  very  important  because 
mistakes  are  so  easy  to  make.  Unless  a strict 
discipline  of  labeling  items  and  their  states  is 
followed,  it  is  easy  to  make  errors  in  identify- 
ing items,  e.g.,  two  different  codes  might  be 
assigned  to  one  item. 

A fault  tree  usually  is  constructed  in 
parts  because  it  takes  so  much  room.  Each 
page  of  the  fault  tree  refers  to  other  pages  of 
the  fault  tree  and  has  certain  conditions  that 
are  true  for  that  page.  One  must  carefully 


keep  track  of  all  c£  these  in  order  to  keep 
errors  out  of  the  fault  tree. 

There  is  a set  ofconventions  for  con- 
structing fault  trees;  it  should  be  followed  rig- 
orously. The  reason  for  follow  ing  the  conven- 
tions is  to  have  a fault  tree  whose  parts  can  be 
created  by  several  people  and  which  can  be 
understood  by  many-  people.  Since  some  set 
of  rules  must  be  followed,  if  utter  chaos  is  to 
be  avoided,  one  may  as  well  choose  the  set  in 
common  use. 

It  is  worthwhile  keeping  a file  of  general 
subtrees  for  common  items  (e.g.,  pumps  and 
motors)  to  avoid  having  to  create  that  subtree 
each  time  it  is  needed.  In  each  application, 
the  general  subtree  in  the  file  can  be  pruned 
to  fit  the  application. 

Usually  a fault  tree  is  drawn  with  the 
same  orientation  as  the  Cause-Consequence 
chart:  the  trunk  (representing  the  conse- 
quence) is  at  the  top  and  the  'leaves  (repre- 
senting the  causes)  are  at  the  bottom. 

During  the  course  of  constructing  the 
fault  tree,  there  will  be  many  false  starts, 
blind  alleys,  system  changes,  and  mistakes. 
The  engineers  will  learn  agreatdeal  aboutthe 
system;  in  fact,  this  scheme  of  knowledge  or- 
ganization is  useful  precisely  because  it  does 
require  that  the  engineers  know  and  make  ex- 
plicit assumptions  about  the  relationships  of 
items  in  the  system. 

Fault  trees  can  be  used  for  a complete 
plant  as  well  as  any  of  the  component  systems 
and  subsystems.  Fault  trees  provide  an  objec- 
tive basis  for  analyz:ng  system  design,  per- 
forming trade-off  studies,  analyzing  common 
mode  failures,  demonstrating  compliance  with 
safety  requirements,  and  justifying  system 
changes  or  additions.  * 

The  logic  of  the  approach  makes  it  a visi- 
bility tool  for  both  engineering  and  manage- 
ment. Many  reliability  techniques  are  induc- 
tive and  are  concerned  primarily  with  assuring 
that  hardware  will  accomplish  reliably  its 
assigned  functions.  The  fault  tree  method  is 
concerned  with  assuring  that  all  critical 
aspects  of  a system  are  identified  and  control- 
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led.  The  fault  tree  itself  is  a graphical  repre- 
sentation of  Boolean  logic  associated  with  the 
development  of  a particular  ^stan  failure 
(consequence),  called  the  TOP  event;  to  basic 
failures  (causes),  called  primary  events.  For 
example,  the  TOP  event  could  be  the  failure 
of  a reactor  scram  systan  to  operate  during 
an  excursion,  with  the  primary  events  being 
failures  of  the  individual  scram-system  com- 
ponents. 

In  1961  the  concept  of  fault  tree  analysis 
vras  originated  by  Ml  Telephone  Labora- 
tories as  a technique  for  safety  evaluation  of 
-the  MINUTEMAN  Launch  Control  System 
(Ref.  l).At  the  1965  Safety  Symposium 
(Ref.  2)  several  papers  expounded  the  virtues 
cf  fault  tree  analysis.  They  marked  the  begin- 
ning of  a widespread  interest  in  using  fault 
tree  analysis  as  a reliability  tool  in  the  nuclear 
reactor  industry-  In  the  early  1970’s  great 
strides  were  made  in  the  solution  of  fault 
trees  to  obtain  complete  reliability  informa- 
tdm  about  relatively  complex  systems  (Refs. 
3-7).  The  collection  and  evaluation  of  failure 
data  are  still  very  important  (Refs.  8-11). 

Fault  tree  analysis  is  of  major  value  in: 

1.  Directing  the  analyst  to  ferret  out 
failures  deductively 

2.  Pointing  out  the  aspects  of  a system 
which  are  important  with  respect  to  the  fail- 
ure of  interest 

3.  Providing  a graphical  aid  for  system 
management  people  who  are  removed  from 
the  system  design  changes 

4.  Providing  options  for  qualitative  or 
quantitative  system  reliability  analysis 

5.  Allowing  the  analyst  to  concentrate 
on  one  particular  system  failure  at  a time 

6.  Providing  the  analyst  with  genuine 
insight  into  system  behavior. 

Fault  tree  models  do  have  disadvantages. 
Probably  the  most  outstanding  is  the  cost  of 
development  in  first-time  application  to  a 
system.  As  in  the  development  of  engineering 
drawings,  the  cost  is  somewhat  offset  by  fu- 
ture application  of  the  models  in  accident  pre- 
vention, maintenance  scheduling,  and  system 
modifications.  The  additional  expense  is  justi- 
fied by  the  detail  resulting  frcm  fault  tree 
analysis.  Another  disadvantage  is  that  not 
many  engineers  are  familiar  with  it.  A lesser 


disadvantage  is  that  skilled  personnel  might 
develop  a fault  tree  for  a given  system  in  dif- 
ferent ways. 

Although  certain  single  failures  that  can 
result  in  several  component  failures  simultane- 
ously—called  common  mode  failures*— can  be 
pointed  out  by  a detailed  fault  tree  analysis, 
the  analyst  must  be  alert  to  include  other 
common  mode  failures  properly  in  the  fault 
tree  and  to  be  aware  that  fault  tree  analysis 
does  not  inherently  ferret  out  all  common 
mode  failures. 

Most  of  this  chapter  is  adapted  frcm  Ref. 
17. 

7-2  GENERATION 

A system  component  is  a basic  acnstitu- 
ent  for  which  failures  are  considered  primary 
failures  during  fault  tree  construction.  Conse- 
quently, the  components  of  a given  systan 
can  change  depending  on  the  TOP  event  being 
studied  or  the  detail  the  analyst  wishes  to 
include  in  the  fault  tree  analysis.  Some  com- 
ponents have  several  operating  states,  none  of 
which  are  necessarily  failed  states.  For  ex- 
ample, relay  contacts  can  be  open  or  closed. 
The  description  of  these  states  is  called  the 
component  configuration. 

Fault  tree  construction  is  the  logical 
development  of  the  TOP  event.  As  the  con- 
struction proceeds,  each  fault  event  also  is 
developed  until  primary  failures  are  reached. 
A fault  event  is  a failure  situation  resulting 
from  the  logical  interaction  of  primary  fail- 
ures. The  development  of  any  fault  event 
iBsults  in  a brunch  a£  the  fault  tree.  The  event 
being  developed  is  called  the  base  event  of  the 
branch.  The  branch  is  complete  only  when  all 
events  in  the  branch  are  developed  to  the  level 
of  primary  failures.  Every  event  in  a branch  is 
in  the  domain  of  the  base  event.  In  addition, 
if  the  base  event  is  an  input  to  an  AND  gate, 
every  event  in  the  branch  is  in  the  domain  of 
every  input  to  that  AND  gate. 

A fault  tree  gate  is  composed  of  two 
parts: 

1.  The  Boolean  logic  symbol  that  re- 
lates the  inputs  cf  the  gate  to  its  output  event 

2.  The  output  event  description. 

•This  nomenclature  has  been  changed  in  1975  to  "com' 
mon  cause”  failure. 
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A gate  is  equivalent  to  another  gate  if  and 
only  if  the  logic  symbol,  the  output  event 
description,  and  the  effective-boundary -con- 
ditions associated  with  the  output  event  are 
identical.  These  effective -boundary  conditions 
modify  an  event  and  are  imposed  by  the  an- 
alyst or  are  generated  by  previously  occurring 
fault  events,  A complete  treatment  of  these 
effective  boundary  conditions  is  given  in  Ref. 
12.  The  event  description  must  have  two 
parts:  (l)the  incident  identification,  and  (2) 
the  entity  identification.  The  incident  identi- 
fication defines,  as  briefly  as  possible,  the 
fault  without  indicating  any  hardware  in- 
volved. The  entity  identification  specifies  the 
item  involved. 

Two  kinds  of  symbols  are  used  in  a fault 
tree:  logic  symbols  as  shown  in  Fig.  7-1,  and 
event  symbols  as  shown  in  Fig.  7-2  (Refs. 
1,8,13,17). 

The  logic  symbols  (gates)  are  used  to 
interconnect  the  events  that  contribute  to  the 
specified  main  (TOP)  event.  The  logic  gates 
that  are  used  most  frequently  to  develop  fault 
trees  are  the  basic  AND  and  OR  Boolean  ex- 
pressions. The  AND  gate  provides  an  output 
event  only  if  all  input  events  occur  simul- 
taneously. The  OR  gate  provides  an  output 
event  if  one  or  more  of  the  input  events  are 
present. 

The  usual  event  symbols  are  the  rectan- 
gle, circle,  and  diamond.  The  rectangle  repre- 
sents a fault  event  resulting  from  the  com- 
bination cf  more-basic  faults  acting  through 
logic  gates-  The  circle  designates  a basic  sys- 
tem-component failure  or  fault  input  that  is 
s-independent  of  all  other  events  designated 
by  circles  and  diamonds.  The  diamond 
symbol  describes  fault  inputs  that  are  con- 
sidered basic  in  a given  fault  tree.  Flowever, 
the  event  is  not  basic  in  the  sense  that  labora- 
tory data  are  applicable.  Rather,  the  fault  tree 
is  simply  not  developed  further,  either  be- 
cause the  event  is  of  insufficient  consequence 
or  the  necessary  information  is  unavailable.  In 
order  to  solve  a fault  tree,  both  circles  and 
diamonds  must  be  used  to  represent  events 
for  which  reliability  information  is  necessary 
to  the  fault  tree.  Events  that  appear  as  circles 
or  diamonds  are  treated  as  primary  events. 

The  triangles  shown  in  Fig-  7-2  strictly 


are  not  event-symbols  although  traditionally 
they  jj^avc  been  classified  as  such . The  triangle 
indicates  a transfer  from  one  part  of  the  fault 
tree  w>  another.  A line  from  the  side  of  the 
trianife  (transfer- out  triangle)  denotes  an 
event:  transfer  out  from  the  associated  logic 
gate.  A line  from  the  apex  of  the  triangle  de- 
notes an  event  transfer  info  the  associated 
logic  gate  frem  the  transfer-out  triangle  with 
the  Same  identdfication'*number. 

The  other  logic  gates  and  events  symbols 
are  shown  and  explained  in  Figs.  7-1  and  7-2. 

A minimal  cut  set  is  a smallest  set  of  pri- 
mary events,  inhibit  conditions,  and/or  unde- 
veloped fault  events  which  must  all  occur  in 
order  for  the  TOP  event  to  occur.  The  pri- 
mary events  represent  the  resolution  of  the 
fault  tree.  The  minimal  cut  sets  represent  the 
modes  by  which  the  TOP  event  can  occur. 
For  example,  the  minimal  cut  set  A,  A 
means  that  both  the  primary  events  A,  and 
A,  must  occur  in  order  for  the  TOP  event  to 
occur.  The  occurrence  of  A,  and  A,  is  a 
mode  by  which  the  TOP  event  occurs.  If 
either  A.  or  A,  doe3  not'occur,  then  the  TOP 
event  does  not  occur  by  this  mode.  The  set  of 
events  A.  A2C,  where  C is  another  primary 
event,  is  not  a mirniiBl  cut  set  because  C is 
redundant  and  is  not  necessary  for  the  occur- 
rence of  the  TOP  event;  C can  either  occur  or 
not  occur,  and  as  long  as  A,  and  A both 
occur,  then  the  TOP  event  will  occur.  A mini- 
mal cut  set  is  a collection  of  component  fail- 
ures all  of  which  are  necessary  and  sufficient 
to  cause  sysban  failure  by  that  mmirnal  cut 
set.  A complete  set  of  minimal  cut  sets  is  all 
the  failure  modes  for  the  given  system-failure. 

The  minimal  cut  sets  are  important 
because  they  depict  which  failures  must  be 
repaired  in  order  for  the  TOP  failure  to  be 
removed  from  the  failed  state.  The  minimal 
cut  sets  point  out  the  weakest  links  in  the 
syston.  The  primary  events  in  the  1 -event 
minimal  cut  sets  usually  are  the  most  impor- 
tant, A 1-failure  analysis  is  a fault  tree  drawn 
to  obtain  only  the  1-event  minimal  cut  sets 
(1-failure)  for  the  TOP  event.  For  a 1 -failure 
analysis,  the  fault  tree  ends  whenever  an  AND 
gate  is  reached  that  does  not  have  deeper 
common  causes  (which  effectively  transform 
an  AND  gate  to  an  OR  gate), 
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OUTPUT 


INPUTS 


AND  Gate 

Coexistence  of  all  inputs  required 
to  produce  output. 


OUTPUT 


OR  Gate 

Output  will  exist  if  at  least  one 
input  is  present. 


OUTPUT 


TTT 

INPUTS 


INHIBITGate 

Input  produces  output  directly  when 
conditional  input  is  satisfied. 


OELAY  Gate 

Output  occurs  after  specified  delay 
time  has  elapsed. 


MATRIX  Gate 

Output  is  related  to  one  or  more 
unspecified  combinations  of 
undevelopedinputs. 
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RECTANGLE 

A fault  event  usually  resulting  frpm  the 
combination  of  more-basic  faults,,  which 
are  acting  through  logic  gates. 


CIRCLE 

A basic  component-fault  — an  s-independent 
event. 


DIAMOND 

A fault  event  not  developed  to  its  cause. 


DOUBLE  DIAMOND 

An  important  undeveloped  fault-event  that 
requires  further  development  to  complete 
the  fault  tree. 


TRIANGLE 

A connecting  or  transfer  symbol. 


UPSIDE  DOWN  TRIANGLE 

A similarity  transfer—  the  input  is  similar 
but  not  identical  to  the  like  identified  input. 


HOUSE 

An  event  that  usually  occurs-  Also,  useful  as  a 
"trigger  event"  for  logic  structure  change  within 
the  fault  tree. 


FIGURE  '7-2.  fault  Tree  Event  Symbols' 1 
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Fault  trees  are  very  flexible  with  regard 
to  the  degree  of  detail  to  be  included.  In  the 
fault  tree  itself  primary  failures  can  be  failures 
of  the  smallest  mechanical  linkage  in  a micro- 
switch or  failures  of  a power-generating  sta- 
tion. The  resolution  of  the  analysis  is  deter- 
mined by  the  needs  of  the  analyst.  Having 
determined  the  resolution,  the  analyst  has 
options  with  regard  to  evaluating  the  fault 
tree.  Indeed,  the  fault  tree  itself  can  be  the 
final  objective.  In  addition  to  the  system  visi- 
bility and  understanding  obtained  by  studying 
the  fault  tree,  further  qualitative  analysis  of 
the  fault  tree  can  produce  all  of  thesystem 
modes  of  failure.  Finally  quantitative  evalua- 
tion is  possible,  i.e.,  probabilistic  failure  infor- 
mation can  be  obtained  about  the  TOP  event 
and  minimal  cut  sets  from  probabilistic  failure 
information  about  the  components. 

Generation  of  fault  trees  has  two 
steps:  system  definition  and  construction  of 
the  tree.  Each  step  is  discussed  in  the  para- 
graphs that  follow. 

7-2.1  SYSTEM  DEFINITION 

System  definition  is  often  the  most  diffi- 
cult task  associated  with  fault  tree  analysis. 
Of  primary  importance  is  a functional  layout 
diagram  of  the  system  showing  all  functional 
interconnections  and  identifying  each  system 
component.  (For  some  systems  that  are  not 
hardware  oriented,  such  a diagram  may  not 
exist  and,  indeed,  the  Cause-Consequence 
chart  itself  might  be  the  only  feasible  dia- 
grammatic system  representation.)  An  exam- 
ple might  be  a detailed  electrical  schematic. 
Physical  ^sban  bounds  are  then  established 
to  focus  the  attention  cf  the  analyst  on  the 
precise  area  cf  interest.  A common  error  is 
failure  to  establish  realistic  system  bounds 
and  thereby  to  initiate  a diverging  analysis. 

Sufficient  information  must  be  available 
for  each  of  the  system  components  to  allow 
the  analyst  to  determine  the  necessary  modes 
of  failure  of  the  ’components.  This  informa- 
tion can  come  from  the  experience  of  the 
analyst  or  from  the  technical  specifications  of 
the  components. 

Next,  the  system  boundary  conditions 
must  be  established.  These  boundary  condi- 
tions are  not  to  be  confused  with  the  physical 


bounds  of  the  system.  System  boundary  con- 
ditions define  the  situation  for  which  the 
fault  tree  is  to  be  drawn.  A most  important 
system  boundary  condition  is  the  TOP  event. 
For  any  given  system,  there1  is  a multitude  of 
possibilities  for  TOP  events.  Selecting  an 
appropriate  TOP  event  is  sometimes  difficult. 
The  complete  Cause-Consequence  chart  will 
have  many  TOP  events.  One  of  them  is  chosen 
for  each  fault  tree.  Choosing  good,  useful 
TOP  events  is  not  easy  because  one  is  rarely 
sure  how  high  to  go.  The  system  initial  con- 
figuration is  described  by  additional  system 
boundary  conditions.  This  configuration  must 
represent  the  system  in  the  unfailed  state. 
Consequently,  these  system  boundary  condi- 
tions depend  on  the  TOP  event.  Initial  condi- 
tions are  then  system  boundary  conditions 
that  define  the  component  configurations  for 
which  the  TOP  event  is  applicable.  All  compo- 
nents that  have  more  than  one  operating  state 
generate  an  initial  condition.  System  bound- 
ary  conditions  also  include  any  fault  event  de- 
clared to  exist  or  to  be  not-allowed  for  the 
duration  of  the  fault  tree  construction.  These 
events  are  called  existing  system  boundary 
conditions  or  not-allowed  system  boundary 
conditions.  An  existing  system  boundary  con- 
dition is  treated  as  certain  to  occur,  and  a 
not-allowed  system  boundary  condition  is 
treated  as  an  event  with  no  possibility  of 
occurring.  Neither  existing  nor  not-allowed 
system  boundary  conditions  appear  as  events 
in  the  final  system  fault  tree.  Finally,  in  cer- 
tain cases,  partial  development  of  the  TOP 
event,  called  the  treetop,  also  is  required  as  a 
system  boundary  condition.  If  the  treetop 
system  boundary  condition  is  required,  it  is 
not  considered  as  part  of  the  fault  tree  con- 
struction process  because  it  is  obtained  by 
inductive  means. 

7-22  FAULT  TREE  CONSTRUCTION 

Published  information  dealing  with  gener- 
alized fault  tree  construction  is  quite  linited. 
Haasl  (Ref.  l)has  described  some  general  con- 
cepts, and  Fussell  (Ref.  12)  has  presented  a 
construction  methodology  for  electrical  sys- 
tems that  is  deductive  and  formal. 

An  example  demonstrates  some  of  the 
fundamental  aspects  cf  fault  tree  construc- 
tion. A sample  system  schematic  is  shown  in 
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Fig.  7-3.  The  system  physical  bounds  include 
this  entire  system.  The  system  boundary  con- 
ditions are: 


TOP  Event  = 
Initial  Condition  = 
Not-allowed  Events 

Existing  Events  = 
' Treetop  = 


Motor  overheats 
Switch  closed 
Failures  due  to  effects 
external  to  system 
Switch  closed 
Shown  in  Fig.  7-4. 


POWER 

SUPPLY 


FIGURE  7-3.  Sample  System 


minimal  cut  sets  are,  by  inspection,  the  sets  of 
primary  events: 

1.  Motor  Failure  (overheated) 

2.  Rjse  Failure  (closed)  Wiring  Failure 
(shorted) 

3.  Fuse  Failure  (closed)  Power  Supply 
Failure  (surge). 

Although  these  minimal  cut  sets  vere 
determined  by  examination  of  the  fault  tree, 
usually  a more  formal  procedure  is  needed. 
One  such  approach  has  been  suggested  by 
Vesely  and  Narum  (Ref.  14) . The  Boolean 
equation  implied  by  the  fault  tree  is  construc- 
ted by  a .computer.  The  primary  events  are 
then  “turned  on”  one  at  a time.  Each  time,  a 
check  is  made  to  determine  whether  the  equa- 
tion is  “true”.  Next,  all  possible  combinations 
of  two  primary  events  are  turned  on  and  again 
the  equation  is  checked  each  time  to  deter- 
mine whether  it  is  true.  Each  time  the  equa- 
tion is  true,  the  collection  of  primary  events 
that  were  turned  on  is  a cut  set.  After  these 
cut  sets  are  determined,  all  cut  sets  that  are 
supersets  of  other  cut  sets  are  discarded  so  as 
to  winnow  the  minimal  cut  sets.  Vesely  and 
Narum  (Ref.  14)  have  suggested  a Monte 
Carlo  approach  whereby  appropriate  weight- 
ing of  the  primary  events  is  used  to  accelerate 
the  process  of  determining  the  minimal  cut 
sets.  However,  doubt  that  all  the  minimal  cut 
sets  have  been  found  is  always  present  when 
the  Monte  Carlo  approach  is  used.  In  practice, 
both  of  the  preceding  methods  generally  re- 
quire excessive  computer  time  to  obtain  cut 
sets  containing  more  than  three  primary 
events. 


7-3.1  FINDING  THE  MINIMAL  CUT  SETS 


FIGURE  7-4.  First  Treetop  System  Boundary 
Condition for  Sample  System 


7-3  MINIMAL  CUT  SETS 

A minimal  cut  set  is  a collection  of  pri- 
mary failures  all  cf  which  are  necessary  and 
sufficient  to  cause  the  failure  by  that  minimal 
cut  set,  A complete  set  o f minimal  cutsets  is 
all  the  failure  inodes  for  a given  system  and 
TOP  event,  For  the  fault  tree  in  Fig.  7-5,  the 


This  approach  (Ref.  17)  begins  at  the 
TOP  event  and  proceeds  to  the  primary  events 
without  simulation.  Boolean  manipulation,  or 
Monte  Carlo.  Rather,  the  fault  tree  is  resolved 
directly  into  the  minimal  cut  sets.  The  execu- 
tion time  is,  thereby,  not  an  exponential  func- 
tion as  it  is  with  other  methods,  but  is 
approximately  a linear  function  cf  the  average 
length  cf  the  cut  sets,  A key  point  cf  this 
method  is  that  an  AND  gate  alone  always 
increases  the  sias  of  a cut  set  while  an  OR 
gate  alone  always  increases  the  number  cf  cut 
sets.  To  obtain  the  mmirnal  cut  sets,  this 
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FIGURE  7-5.  First  Fault  Tree  for  Sample  System  1 


method  requires  that  the  Boolean  indicated 
cut  sets  (BICS)  be  obtained  first.  The  BICS 
are  defined  such  that,  if  all  the  primary  events 
are  different,  the  BICS  will  be  precisely  the 
minimal  cut  sets.  This  definition  of  the  BICS 
does  not  mean  that  the  method  is  limited  to 
fault  trees  with  primary  events  appearing  only 
once  in  the  fault  tree. 

Fig.  7-4  reflects  the  inductive  reasoning  that 
the  motor  overheats  if  an  electoral  overload  is 
supplied  to  the  motor  car  a primary  failure 
within  the  motor  causes  the  overheating;  for 
example,  bearings  lose  their  lubrication  or  a 
wiring  failure  occurs  within  the  motor. 


From  a knowledge  of  the  components, 
the  fault  tree  shown  in  Kg.  7-5  is  constructed. 
The  event  “excessive  current  to  motor" 
occurs  if  excessive  current  is  present  in  the 
circuit  and  the  fuse  fails  to  open.  The  event 
“excessive  current  in  circuit”  occurs  if  the 
wire  fails  shorted  or  the  power  supply  surges, 
The  fault  tree  is  now  complete  to  the  level  of 
primary  failures. 

For  the  same  sample  system  but  with  dif- 
ferent system  boundary  conditions,  a second 
example  illustrates  the  treatment  of  second- 
ary failures,  i.e.,  failures  possibly  caused  by 
failum  feedback  between  cornponents.  For 
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this  example,  the  system  boundary'  conditions 

are.  TOP  Event  = Motor  does  not  operate 
Initial  Condition  = Switch  closed 
Not-allowed  Events  = Failures  due  to  effects 

external  to  system  (op- 
erator failures  not  in- 
chided) 

Existing  Events  ==  None 

Treetop  = Shown  in  Fig.  7-6, 


FIGURE  7-6.  Second  Treetop  System  Boundary 
Condition  for  Sample  System  ‘ 


The  completed  fault  tree  is  shown  in  Fig. . 
7-7.  Here  the  diamond  symbol  is  used  to  indi- 
cate that  the  event  “switch  open"  is  not  de- 
veloped to  its  causes.  The  switch’s  being  open 
is  a failure  external  to  the  system  bounds  and, 
in  this  analysis,  insufficient  information  is 
available  for  developing  the  event. 

The  event  “fuse  fails  open”  occurs  if  a . 
primary  or  secondary  fuse  failure  occurs. 
Secondary  fuss  failure  can  occur  if  an  over- 
load in  the  circuit  occurs,  because  an  overload 
can  cause  the  fuse  to  open.  The  fuse  does  not 
open,  however,  every  time  an  overload  is  pre- 
sent in  the  circuit,  because  all  cortditions  of, 
an  overload  do  not  result  in  sufficient  over- 
current to  open  the  fuse.  The  inhibit  condi- 
ticn  then  is  used  as  a weighting  factor  applied 
to  all  the  fault  events  in  the  domain  of  the 
inhibit  condition.  Since  the  inhibit  condition 
is  treated  as  an  AND  logic  gate  in  a probabil- 
istic analysis,  it  is  a probabilistic  weighting 
factor.  The  inhibit  condition  has  many  varia- 


tions in  fault  tree  analysis,  but  in  all  cases  ,. 
represents  a probabilistic  weighting  factor. 

Even  though  the  generation  and  analysis 
of  fault  trees  nominally  are  separate  tasks, 
there  is  a great  deal  of  interaction  between 
the  two.  During  the  course  of  analysis,  engi- 
neers become  aware  of  things  they  had  for- 
gotten or  not  realized  while  the  tree  was  being 
generated. 

Trees  can  be  evaluated  qualitatively  and 
quantitatively.  Qualitative  evaluation  is  very 
profitable  because  so  much  understanding  of 
the  system  is  developed  during  the  evaluation. 
Both  methods  are  discussed  in  the  remainder 
cf  this  chapter. 

Each  gate  in  the  fault  tree  arbitrarily  is 
named  with  a value  to  and  each  primary  event 
with  a value  <P.  The  following  definitions 
apply  to  this  approach: 

Pu  ,-  = input  i to  gate  co 
Xjj  = number  cf  inputs  to  gate  to 
x = BICS  x 
y = entry  y in  a BICS 

Ax  y = variable  representing  entry  y in 
BICS  x 

xmax  = largest  value  of  x yet  used 
ymax  = largest  value  of  y yet  used  in 
BICS  x. 

The  values  to,  4>,  and  the  gate  type 

(AND  or  OR)  are  assumed  known,  where 
values  cfpu_,  are  discernible  values  of  to  cr  <(>. 
Ajj  is  the  first  set  equal  to  the  w value 
representing  the  gate  immediately  under  the 
TOP  event.  From  this  point  on,  the  goal  is  to 
eliminate  all  to  values  from  the  Ax  y matrix. 
When  this  elimination  is  complete,  only  <P 
values  remain  and  the  BICS  are  determined. 
To  accomplish  this  elimination,  an  to  value  is 
located  in  the  Ax  y matrix,  the  values  of  x,y,, 
and  to  are  noted  and 

(7-1) 

For  to  an  AND  gate: 

^.x..vmax  + l — P uj  ,n  = 2,3,...,AtO  , (7"2) 

where  ymax  is  incremented  when  n is  incre- 
mented. 


7-9 


AMCP  706-196 


MOTOR  DOES 
NOT  OPERATE 


SWITCH 

OPEN 


1 

NO  CURRENT  TO 
MOTOR 


n 

:i 

i 


FIGURE  7-7.  Second  Fault  Tree  for  Sample  System 1 
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For  u>  an  OR  gate: 

Ax  ,,,  n = 1,2,—O'max;  n + y 

Ax  max+l.n  no  , 

Pcj.„>  n = 2,3,.. ;n  = y 

(7-3) 

where  xmax  is  incremented  when  n is  incre- 
mented. 


by  hand.  This  maximum  is  an  upper  bound  to 
the  maximum  number  c£  primary  events  in 
any  minimal  cut  set  for  that  fault  tree.  The 
determination  is  similar  to  that  for  the  num- 
ber of  BICS.  If  yt j is  aparameter  associated 
with  input  j to  gate  /‘-where  yt  j = 1 for  dl 
primary  events,  then 


Eqs.  7-1  and  7-2  or  7-3  are  repeated  until  all 
the  entries  in  the  y matrix  become  values 
of  <p.  The  BICS  are  then  determined.  A simple 
search  procedure  is  used  to  determine  the 

mirdital  cut  sets. 


>7,i  + >7.2  + 37.3  +• 
if  i is  an  AND  gate 


max  {y,.i,y,.2,ylt3,  y 

if  i is  an  OR  gate 


i J m ax 


}, 

(7-10) 


The  number  of  BICS  (the  number  of 
rows  in  the  A matrix)  for  a fault  tree  gen- 
erally can  be  determined  in  areasonable  time 
by  hand.  The  number  of  BICS  is  an  upper 
bound  to  the  number  of  minimal  cut  sets.  If 
xt  j is  a parameter  associated  with  input  j to 
gate  i,  where  xt  j = 1 for  ail  primary  events, 
then 


jSi'iis  an ’^ND*  {fate 

Xi,l  +;ti  2 +*i, 3 + 

if  i is  an  OR  gate 


XtJ  max*  (7.4) 
" +Xi./niax.(7.5) 


xk.«=Xi  (7-6) 


where  k is  the  gate  into  which  Gate  i is  input 
£.  If  logic  gate  i is  directly  under  the  TOP 
event  then  = XTO  P is  the  number  of  BICS 
for  the  fault  tree.  The  value  xk  is  determined 
only  when  all  its  input  parameters  are  deter- 
mined; henae,  gates  that  have  only  primary 
events  (x, j = 1 for  all ;)  as  input  are  the  begin- 
ning points. 

The  computation  is  simple,  as  can  be  seen 
from  examining  the  fault  tree  in  Fig.  7-5. 
From  Eq.  7-5,  Xc  = (1  + 1)  = 2 and  then 

from  Eq.  7-4, 

XB  = (xB  1)(xB  2)  = <Xc)(xB  2)  = (2)(1) 

= 2 (7-7) 

and,  finally,  since  A is  an  OR  gate 

XA  = XTOp  = (x^  J ) + (x^  2 ) = (X4  ,1  ) 

+ XB  =3  . (7-8) 

Therefore,  the  Ax  y matrix  acntains  three 
rows.  The  maximum  number  of  primary 
events  in  any  BICS  for  a fault  tree  also  gener- 
ally can  be  determined  in  a reasonable  time 


= (7-11) 

where  k is  the  gate  into  which  Gate  i is  input 
C.  If  logic  gate  i is  directly  under  the  TOP 
event,  then  Y.  = YTOp  is  the  maximum 
number  of  primary  events  in  any  BICS  for  the 
given  fault  tree.  Y.  is  determined  only  when 
all  its  input  parameters  are  determined;  hence, 
the  analyst  must  begin  with  gates  that  have 
only  primary  events  (y;  j = 1 for  all  j)  as  in- 
put. 

For  example,  the  fault  tree  in  Fig.  7-5  is 
again  considered.  From  Eq.  7-10,  Yc  = max 
(1,1 } = land  from  Eq.  7-9, 

YB=Yc+yB,2  (7-12) 

Ya  ~ Ytop  = max  {1,2}  =2. 

Therefore,  the  largest  BICS  contains  two 
primary  events.  The  Ax  y matrix  for  the  fault 
tree  c£  Fig.  7-5  is  a 2 X 3 matrix.  This  method 
easily  can  be  extended  to  determine  the  maxi- 
mum number  of  1-,  2-,  3-,  ...  event  BICS, 
hence  an  upper  bound  on  the  1-,  2-,  3-,  ... 
event  minimal  cut  sets,  respectively,  is  deter- 
mined. 

The  fault  tree  of  Fig.  7-5  illustrates  the 
method  cf  determining  minimal  cut  sets.  Each 
gate  has  been  labeled  with  a letter  and  each, 
primary  event  with  a number.  The  input  is 
then 


cu  Gate  Type  Xw  , 

A OR  2 1 B 

B AND  2 c 2 

C OR  243 
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The  solution  is  begun  by  preparing  a Afc  y 
matrix: 


A, 

Y 


,y 


X 


Since  A is  an  OR  gate,  Eqs.  7-1  and  7-3 
are  used  to  give 


y 


1 

B 

To  eliminate  B,  Eqs.  7-1  and  7-2  are  used 
to  obtain 

A. 


x ,y 


Finally,  since  C is  an  OR  gate,  Eqs.  7-1 
and  7-3  are  used  again  to  <±>tain 
A,  „ 


From  the  preceding  matrix,  the  minimal 
cut  sets  are  as  follows: 


Minimal  Cut  Set  Primary  Events 


1 

2 

3 


The  results  agree  precisely  with  the  re- 
sults obtained  previously  by  inspection.  Since 
all  the  primary  events  in  the  fault  tree  are 
different,  the  BICS  in  the  preceding  y 
matrix  are  the  minimal  cut  sets.  If  some  of 
the  BICS  contain  duplicate  events,  this  dupli- 
cation is  eliminated  by  discarding  redundant 
events.  Also, if  some  of  the  BICS  are  supersets 


of  other  BICS,  all  supersets  are  discarded.  The 
minimal  cut  sets  remain. 

The  advantage  of  the  method  lies  in  the 
speed  with  which  it  can  determine  large  cut 
sets,  As  a typical  example;,  for  a fault  tree 
with  2000  BICS,  the  smallest  of  which  con- 
tains 20  primary  events  and  the  largest  of 
which  contains  25  primary  events,  the  time 
required  by  the  UNIVAC^1108  computer  to 
locate  all  the  BICS  is  less  than  16 sec. 

7-3.2  MODIFICATIONS  FOR  MUTUALLY 
EXCLUSIVE  EVENTS 

Most  methods  for  obtaining  miniirBl  cut 
sets  must  be  modified  somewhat  to  handle 
mutually  exclusive  fault  events  that  appear  in 
the  domain  of  the  same  AND  logic  gate.  If 
this  modification  is  not  implemented,  errone- 
ous “minimal  cut  sets”  result.  The  manner  in 
which  erroneous  mmmaL  cut  sets  appear  is 
illustrated  by  the  example  in  the  system  sche- 
matic in  Fig.  7-8.  The  purpose  c£  the  system 
is  to  provide  light  frcm  the  bulb.  When  the 
switch  is  closed,  the  relay  contacts  close  and 
the  contacts  of  the  circuit  breaker,  a normally 
closed  relay,  open.  If  the  relay  contacts  open, 
the  light  will  go  out  and  the  operator  will 
immediately  open  the  switch  which  in  turn 
causes  the  circuit  breaker  contacts  to  close 
and  restore  the  light.  The  system  boundary 
conditions  include: 

TOP  Event  = No  light 
Initial  Conditions  = Switch  closed 

Relay  contacts  closed 
Circuit  breaker  contacts 

open 

Not-allowed  Events  = Operator  failures 

Wiring  failures 
Secondary  failures. 

Operator  failures,  wiring  failures,  and  second- 
ary failures  are  neglected  to  simplify  the  fault 
tree  fseeFig.  7-9). 

Table  7-1  gives  the  primary  events  that 
are  declared  to  be  minimal  cut  sets  by  conven- 
tional methods  of  determining  mirnnal  cut 
sets  for  the  system  shown  in  Eig.  7-8.  As  can 
be  reasoned  fkom  Fig.  7-8, sets  (6),  (8),  (10), 
and  (12)  will  not  cause  the  TOP  event.  Only 
set  (12),  being  logically  impossible,  could 
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NO  LIGHT 


FIGURE  7-9.  Fault  Tree  For  Sample  System  2 
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TABLE  7-1. 

MINIMAL  CUT  SETS  FOR  SAMPLE  SYSTEM 
AS  DETERMINED  BY  CONVENTIONAL  MEANS 


(1) 

Primary  bulb  failure 

(2) 

Primary  Power  Supply  1 failure 

(3) 

Relay  contacts  transfer  open 
Circuit  breaker  contacts  fail  open 

(4) 

Relay  contacts  transfer  open 
Switch  fails  closed 

(51 

Power  Supply  2 failure 
Circuit  breaker  contacts  fail  open 

(6) 

Power  Supply  2 failure 
Switch  fails  closed 

(7) 

Relay  coil  open  circuits 
Circuit  breaker  contacts  fail 

(8) 

Relay  coil  open  circuits 
Switch  fails  closed 

(9) 

Circuit  breaker  coil  opens  circuit 
Circuit  breaker  contacts  fail  open 

001 

Circuit  breaker  coil  opens  circuit 
Switch  fails  closed 

01) 

Switch  transfers  open 

Circuit  breaker  contacts  fail  open 

02) 

Switch  transfers  open 
Switch  fails  closed 

have  been 

detected  as  erroneous  from  the 

minimal  cut  sets  themselves. 

The  reason  for  these  erroneous  irairiiral 
cut  sets  is  that  the  fault  events  “power  remov- 
ed from  Circuit  Path  C”,  hereafter  called  X, 
and  the  fault  event  “power  not  removed  from 
Circuit  Path  C”,  hereafter  called  Y,  are  mutu- 
ally exclusive  fault  events.  Consequently,  col- 
lections of  component  failures  that  reflect 
certain  combinations  of  the  primary  events 


used  to  develop  the_se  events  will  not  cause 
TOP  failure.  Since  X and  Y are  both  in  the 
domain  of  an  AND  logic  gate,  they  were  com- 
bined in  determining  the  minimal  cut  sets. 
Alleviating  this  difficulty  in  the  method  of 
par.  7—3.1  is  easy.  T.he  mutually  exclusive 
events  are  flagged.  These  events  then  never  are 
combined;  hence,  erroneous  minimal  cut  sets 
are  not  obtained.  However,  if  these  erroneous 
additional  minimal  fut  sets  are  considered, 
the  error  is  generally  Conservative;  i.e.,  a high- 
er system — failed  probability  is  calculated. 

Most  methods  for  finding  the  mmirnal  cut 
sets  presume  that  the  primary  events  are 
s-independent;  correcting  them  for  mutually 
exclusive  events  is  more  difficult.  - 

7-4  FAILURE  PROBABILITY 

There  are  basically  three  methods  for  sol- 
ving fault  trees:  ( 1 ) direct  simulation  (Ref. 
15),  (2)  Monte  Carlo  (Ref.  7),  and  (3)  direct 
analysis  (Ref.  6). 

Direct  simulation  basically  uses  Boolean 
logic  hardware  (similar  to  that  in  digital  com- 
puters) in  a one-to-one  correspondence  with 
the  fault  tree  Boolean  logic  to  form  an  analog 
circuit.  This  method  usually  is  prohibitively 
expensive.  A hybrid  method  obtains  parts  of 
the  solution  using  the  analog  teehnique  and 
parts  from  a digital  ealeulation,  in  an  effort  to 
be  cost  competitive.  Because  cf  theexpense 
involved,  this  method  rarely  is  used. 

Monte  Carlo  methods  are  perhaps  the 
most  simple  in  principle  but  in  practice  can  be 
expensive.  Since  Monte  Carlo  is  not  practical 
without  the  use  cf  a digital  computer,  it  is 
discussed  in  that  framework.  The  most  easily 
understood  Monte  Carlo  technique  is  called 
“direct  simulation”.  The  term  "sinulaticn" 
frequently  is  used  in  conjunction  with  Monte 
Carlo  methods,  because  Monte  Carlo  is  a forirr 
c£  mathematical  simulation.  (This  sinulaticn 
should  not  be  confused  with  direct  analog 
simulation.)  Probability  data  are  provided  as 
input,  and  the  simulation  program  represents 
the  fault  tree  on  a computer  to  provide  quan- 
titative results.  In  this  manner,  thousands  or 
millions  of  trials  can  be  simulated.  A typical 
simulation  program  involves  the  following 
steps. 


7-15 


AMCP  706-1  96 


1.  Assign  failure  data  to  input  fault 
events  within  the  tree  and,  if  desired,  repair 
data. 

2.  Represent  the  fault  tree  on  a com- 
puter to  provide  quantitative  results  for  the 
overall  system  performance,  subsystem  per- 
formance, and  the  basic  input  event  perfor- 
mance. 

3.  List  the  failmE  that  leads  to  the 
undesired  event  and  identity  minimal  cut  sets 
contributing  to  the  failure. 

4.  Compute  and  rank  basic  input  failure 
and  availability  performance  results. 

In  performing  these  steps,  the  computer  pro- 
gram simulates  the  fault  tree  and,  using  the 
input  data,  randomly  selects  the  various  para- 
meter data  from  assigned  statistical  distribu- 
tions; and  then  tests  whether  or  not  the  TOP 
event  occurred  within  the  specified  time 
period,  Each  test  is  a trial,  and  a sufficient 
number  of  trials  is  run  to  obtain  the  desired 
quantitative  resolution,  Each  time  the  TOP 
event  occurs,  the  contributing  effects  of  input 
events  and  the  logical  gates  causing  the  speci- 
fied TOP  event  are  stored  and  listed  as  com- 
puter output,  The  output  provides  a detailed 
perspective  of  the  system  under  simulated 
operating  conditions  and  provides  a quantita- 
tive basis  to  support  objective  decisions. 

To  illustrate  how  direct  analysis  might  be 
applied  to  a simple  fault  tree  for  static  condi- 
tions, the  fault  tree  shown  in  Fig.  7-10  is 
considered,  It  ocntains  s-independent,  pri- 
mary events  A,  B,  C,  and  D with  constant 
probabilities  c£  'failure  0.1,  0.2,  0.3,  and  0.4, 
respectively,  This  assumption  of  constant  fail- 
ure probabilities  distinguishes  this  example 
from  realistic  fault  tree  evaluation.  The  fault 
tree,  as  shown  in  Fig,  7-10,  is  not  in  conveni- 
ent form  because  Events  XI  and  X2  are  not 
s-independent — they  both  are  functions  of 
Primary  Event  B.  By  Boolean  manipulation 
the  fault  tree  shown  in  Fig.  7-11  is  equivalent 
to  the  one  shown  in  Fig.  7-10; the  minimal 
cut  sets  for  both  fault  trees  are  identical,  The 
fault  tree  shown  in  Fig.  7-11  is  in  convenient 
form  for  calculating  the  probability  of  the 
TOP  event. 

Two  basic  laws  c£  probability  are  used  in 
a fault  tree  evaluation. 


FIGURE  7-10.  Sample  Fault  Tree  for 
Probability  Evaluation. 


Pr{AluA2}  = Pr{Al}+Pr{A2}-  Pr{Air\A2) 

(7-14) 

Pr{AlC\A2)  - Pr{Al)  Pr{A2|Al} 

(7-15) 

where 

A I ,A2  = any  two  events 

u = logic  symbol  for  union,  and/or 
(often  represented  as  addition) 

O = logic  symbol  for  intersection, 
both/and  (often  represented  as  mul- 
tiplication) 

Eq.  7-14  simply  states  that  the  probability  of 
a union  is  the  stm  of  the  probabilities  of  the 
individual  events  minus  the  probability  of 
their  intersection.  In  terms  of  the  fault  tree, 
the  probability  of  a 2-event  OR  gate  is  the 
sum  cf  probabilities  of  the  two  events  attach- 
ed to  the  gate  minus  the  probability  of  the 
two  events  both  occurring.  Eq.  7-15  states 
that  the  probability  of  an  intersection  is  the 
probability  of  one,  Pr  (A1 },  times  the  proba- 
bility of  the  other,  given  the  occurrence  of 
the  first,  Pr  {A2IA1}  , In  terms  cf  the  fault 
tree  in  Fig.  7-11,  the  probability  of  a 2-event 
AND  gate  is  the  product  of  the  probabilities 
cf  the  two  attached  events,  because  primary 
events  cf  a fault  tree  are  s-independent;  (if 
not,  special  precautions  must  be  taken  as 
mentioned  in  par.  7-3.2). 
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FIGURE  7-1 1.  Boolean  Equivalent  of  Sample  Fault 
Tree  Shown  in  Fig.  7-10. 


Since  all  events  are  s-independent  in  the 
fault  tree  shown  in  Fig.  7-11,  unlike  the 
events  of  the  tree  shown  in  Fig.  7-10,  the 
event  probabilities  are  as  follows: 


Pr{Z2}  = Pr{C)  Pr{D } 

Pr{Zl}  = Pr{Bj  +Pr(Z 2}  - Pr{B)Pr{Z2 } 
Pr{TOP}  = Pr{Zl}Pr{A}  . (7-16) 

Upon  substitution, 

Pr{TOP}=  Pr{A}Pr{B}  + Pr{A}  Pr{C]  Pr{D] 
- Pr  { A)  Pr{B}Pr{C }Pt [D] 

Pr{TOP}=  0.0236.  (7-17) 

The  probability  of  the  ^stsn  being  in 
the  failed  state  is  0.0236  for  the  given  pri- 
mary event  failure  probabilities.  This  fault 
tree  has  two  minimal  cut  sets,  AB  and  ACD. 
Primary  Event  A appears  in  both  minimal  cut 
sets  and  hence  is  most  crucial  to  the  system. 
If  the  Pr  (A)  can  be  reduced  to  one-half  of 
its  original  value,  i.e.,  from  0.1  to  0-05, the 


system  failure  probability  is  reduced  to 
0.01 18,  or  one-half  its  original  value. 

In  spite  of  the  seeming  simplicity  of  this 
example,  until  recently,  a practical  method 
for  solving  complex-  fault  trees  analytically 
was  not  known  for  trees  containing  primary- 
failures  with  time-dependent  failure  probabili- 
ties and  repair  possibilities.  With  the  advent  of 
Kinetic  Tree  Theory  (Ref.  6)  analytic  solu- 
tions requiring  only— relatively  small  amounts 
of  computer  time  were  possible  for  complex 
trees.  The  fault  tree  itself  is  solved  through  a 
blend  of  probability  theory  and  differential 
calculus.  AND,  OR,  and  INHIBIT  gates,  and 
general  failure  and  repair  distributions  are 
allowed.  Complete  probabilistic  information 
first  is  obtained  for  each  primary  failure  of 
the  fault  tree,  then  for  each  mmdrral  cut  set, 
and  finally  for  the  TOP  failure  itself.  The  in- 
formation is  obtained  as  a function  of  time 
and,  hence,  with  regard  to  reliability,  com- 
plete kinetic  behavior  is  obtained.  The  expres- 
sions are  simple  and  yield  numerical  results 
efficiently,  w ith  an  average  computer  time  on 
the  order  of  one  minute  on  the  IBM  360/75 
computer  for  a 500  primary  failure  fault  tree 
(Ref.  6). 


An  elementary-  example  c£  a fault  tree 
solution  with  failure  and  repair  probabilities 
as  functions  of  time  is  two  identical,  s-inde- 
pendent  system  units,  A and  B,  operating 
such  that  the  simultaneous  failure  of  both  is 
required  to  cause  system  failures  (see  Fig. 
7-12) . All  failure  and  repair  events  ares-inde- 
pendent. 

For  Events  A and  B.  F(t)  represents  the 
time-to-failure  Cdf,  and  G(t)  is  time-to-repair 
Cdf.  These  functions  are 


F(f)  = 1 -e~Ar 
G(t)  = l-e^t 

where 


(7-18) 


X = constant  failure  rate  for  a primary  fail- 
ure 

P = constant  repair  rate. 


If  q(t)  is  the  probability  of  the  primary  failure 
existing  at  time  t,  then  from  Ref.  16,  pp. 
112-132, 


9(0=r^(1-  + (7-19) 
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TOP 


FIGURE  7-12.  Sample  Fault  Tree  with 
Time-Dependent  Probabilities 


Now  Q(t)  is  defined  as  the  probability  that 
the  TOP  event  exists  at  time  t.  Since  the  TOP 
failure  exists  at  time  t if  and  cnly  if  all  the 
primary  failures  exist  at  time  t, 

Q(t)={q(t)V.  (7-20) 

In  practice,  the  methods  used  for  fault 
tree  analysis  will  depend  on  which  ones  are 
available  for  the  computer  being  used.  It  will 
rarely,  if  ever,  be  worthwhile  generating  a 
computer  program  especially  for  a particular 
problem. 
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CHAPTER  8 FAILURE  MODES  AND  EFFECTS  ANALYSIS 


8-0  LIST  OF  SYMBOLS 


(CR)ti 


(CR)S 

au 


h 


X . 


CRiticality,  viz,  the  portion  of 
the  system  failure  rate  due  to 
item  V s failing  in  its  mode  j 
system  criticality,  viz,  failure  rate 
failure  mode  frequency  ratio  of 
item  / for  the  failure  mode  j 
loss  probability  of  item  i for  fail- 
ure mode  j 
failure  rate  of  item  i 

sum  over  all  i car  j 


8-1  INTRODUCTION 

Failure  Modes  and  Effects  Analysis 
(FMEA)  (Ref.  1)  is  a technique  for  evaluating 
the  reliability  cf  a design  by  considering 
potential  failures  and  their  effect  on  the  sys- 
tem It  is  a systematic  procedure  for  deter- 
mining the  cause  of  failures  and  defining  ac- 
tions to  minimize  their  effects.  It  can  be 
applied  at  any  level  from  complete  systems  to 
parts.  The  basic  approach  Is  to  describe  or 
identify  each  failure  mode  of  an  item,  i.e,, 
each  possible  way  it  can  fail  to  perform  its 
function.  The  analysis  consists  of  identifying 
and  tabulating  the  failure  modes  of  an  item, 
along  with  the  effects  of  a failure  in  each 
mode.  Following  this  analysis,  corrective 
action  can  be  taken  to  improve  the  design  by 
determining  ways  to  eliminate  car  reduce  the 
probability  of  Occurrence  of  critical  failure 
modes.  This  corrective  action  is  performed  by 
considering  the  relative  seriousness  of  the 
effects  of  failures. 

Criticality  of  an  item  is  the  degree  to 
which  satisfactory  mission  completion  de- 
pends on  the  item.  A mission  usually  has 
several  tasks,  e.g.,  a vehicle  needs  to  provide 
prompt  safe  delivery  of  its  cargo  and  safe 
delivery  of  its  crew.  A mission  also  is  classi- 
fied conveniently  into  several  time  phases. 
Some  failure  modes  of  an  item  will  affect 
adversely  some  tasks  and  some  phases  of  a 
mission,  but  not  necessarily  all  of  them.  Some 
fai  lure  modes  concerning  crew  and  public 
safety  are  not  failures  in  the  ordinary  sense; 


for  example,  sharp  edges  which  can  cut  a ve- 
hicle operator  do  not  “fail”,  they  are  just 
there. 

The  principles  cf  FMEA  are  straightfor- 
ward and  easy  to  grasp.  The  practice  o' 
FMEA  is  tedious,  time-consuming,  and  very 
profitable.  It  is  best  in  conjunction  with 
Cause -Consequence  charts  and  Fault  Tree 
analysis;  both  are  explained  in  Chapter  7.  The 
bookkeeping  aspects,  namely,  the  keeping 
track  cf  each  item  and  its  place  in  the  hier- 
archy, are  very  important  because  mistakes 
are  so  easy  t o make. 

An  FMEA  also  can  be  used  as  abasis  for 
evaluating  redesign,  substitution,  or  replace- 
ments proposed  during  manufacture,  assart 
bly,  installation,  and  checkout  phases. 

The  FMEA  consists  of  two  phases  which 
provide  a documented  analysis  for  all  critical 
components  of  a system.  First,  however,  defi- 
nitions of  failure  at  the  system,  subsystem, 
and  sometimes  even  part,  level  must  be  estab- 
lished. 

Phase  1 is  performed  in  parallel  with  the 
start  of  detail  design  and  updated  periodically 
throughout  the  development  program  as  dic- 
tated by  design  changes.  Phase  2 is  performed 
before,  or  concurrently  with,  the  release  of 
detail  drawings. 

The  Phase  1 analysis  consists  of  the  fol- 
lowing steps: 

(1)  Constructing  a symbolic  logic  block 
diagram,  viz.,  the  reliability  diagram 
mentioned  in  Chapter  4 or  a Cause- 
Consequence  chart  mentioned  in 
Chapter  6. 

(2)  Performing  a failure  effect  analysis, 
taking  into  account  modes  of  failure- 
such  as: 

(a)  Open  circuits 

(b)  Short  circuits 

(c)  Dielectric  breakdowns 

(d)  Wear 

(e)  Part-parameter  drifts 

(3)  Proper  system  and  item  identi- 
fication 

(4)  Preparation  of  a critical  items  list. 


8-1 


AMCP  706-196 


During  Riase  2,  the  results  of  Phase  1 are 
revised  and  updated  as  required  by  design 
changes.  In  addition,  all  items  in  the  system 
are  analyzed  to  determine  their  criticality 
with  respect  to  the  system. 

8-2  PHASE  1 

During  this  phase  the  following  detailed 
steps  are  performed: 

(1) A  Symbolic  Logic  Block  Diagram  is 
constructed.  This  diagram  is  developed  for  the 
entire  system  to  indicate  the  functional  de- 
pendencies among  the  elements  of  the  systen 
and  to  define  and  identify  its  subsystems.  It  is 
not  a functional  schematic  ora  signal  flow 
diagram,  but  a model  for  use  in  the  early 
analysis  to  point  out  weaknesses.  Figs.  8-1 
and  8-2  show  typical  symbolic  logic  diagrams. 
Fig.  8-1  illustrates  the  functional  dependency 
among  the  subsystems,  sets,  groups,  and  units 
that  make  up  the  system.  Fig.  8-2  illustrates 
the  functional  dependencies  among  assem- 
blies, subassemblies,  and  parts  that  make  up 
one  of  the  units  in  Fig.  8-1. 

(2)  A failure  effect  analysis  is  performed 
for  each  block  in  the  symbolic  logic  block 
diagram,  indicating  the  effect  of  item  failure 
on  the  performance  of  the  next  higher  level 
on  the  block  diagram.  Table  8-1  (Ref.  1) 
shows  a typical  group  of  failure  modes  for 
various  electronic  and  mechancial  parts,  repre- 
senting equipment  cf  the  mid-1960’s.  The 
failure  mode  ratios  are  estimates  and  are  to  be 
revised  on  the  basis  of  the  user’s  experience. 
Flowever,  they  can  be  used  as  a guide  in  per- 
forming a detailed  failure  effects  analysis. 

Fig.  8-3  illustrates  a useful  form  for  con- 
ducting a failure  effect  analysis.  (Seealso  Fig. 
8-5  for  an  example  of  its  use,)  For  each 
component  in  the  system,  appropriate  infor- 
mation is  entered  in  each  column.  Column 
descriptions  are  given  in  Table  8-2. 

A numerical  reference  fear  all  itstBin  the 
symbolic  logic  block  diagram  must  be  pro- 
vided by  using  a standard  coding  system,  such 
as  that  specified  in  MIL-STD-16  (Ref.  2).  All 
items  below  the  set  and  group  levels  are  iden- 
tified using  the  scheme  illustrated  in  Eg.  8-2. 
Items  at  and  above  the  group  and  set  levels 
are  not  subject  to  this  standard  nomenclature 


scheme.  These  items  can  be  assigned  a simple 
code  such  as  that  illustrated  in  Fig.  8-1.  in 
this  illustration,  the  system  is  assigned  a 
letter;  and  the  subsystems,  sets,  and  groups 
are  assigned  numbers  in  a specifically  ordered 
sequence.  As  an  example,  the  code  S-23-01 
designates  the  first  group  of  the  third  set  in 
the  second  subsystem  of  system  S.  The  exact 
coding  system  used  is  not  ,as  important  as 
making  sure  that  each  block  in  the  diagram 
has  its  own  number.  Identical  items  (same 
drawing  numbers)  in  different  systems,  or  in 
the  Same  system  but  used  in  different  appli- 
cations, should  not  be  assigned  the  same  code 
number. 

(3)  During  the  failure  effects  analysis,  a 
number  of  changes  to  the  block  diagrams  may 
be  required.  Therefore,  to  minimize  the  num- 
ber of  changes  in  the  coding  system,  it  is  re- 
commended that  the  failure  effects  analysis 
be  completed  before  assignment  of  code 
numbers  is  finalized. 

(4)  Based  on  the  failure  effects  analysis, 
a list  of  critical  items  should  be  prepared.  This 
list  will  contain  those  items  whose  failure  re- 
sults in  a possible  loss,  probable  loss,  or  cer- 
tain loss  of  the  next  higher  level  in  the  symr 
bolic  logic  block  diagram.  All  items  that  can 
cause  system  loss  should  be  identified  clearly 
in  the  list 

8-3  PHASE2 

This  phase  is  implemented  by  performing 
the  following  steps: 

(1)  The  symbolic  logic  block  diagram, 
failure  effects  analysis,  coding,  and  critical 
items  list  are  reviewed  and  brought  up-to- 
date. 

(2)  Criticality  is  assigned,  based  on  the 
item  applicable  failure  mode,  the  system  loss 
probability,  the  failure  mode  frequency  ratio, 
and  the  item  unreliability.  The  analysis  of 
criticality  is  essentially  quantitative,  based  on 
a qualitative  failure  effects  analysis, 

Criticality  CR,  is  defined  by  the 
equation  : 

(CR)U  = ao.0l7X.  (8-1) 

where 
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SUBSYSTEM 


SET 


GROUP 


UNIT 


Notes: 

1.  The  system  depends  on  subsystems  10,  20,  30,  and  40. 

2.  Subsystem  10  depends  on  sets  1*1,  21,  31A,  and  31 B. 

3.  Set  11  depends  on  groups  01A,  0 1B  02,03,  and  04. 

4.  Group  018  depends  on  units  01 B1 , 0182,  and  01B3. 

5.  Sets  31 A and  318  are  redundant, 

6.  Groups  01 A and  018  are  redundant. 

7.  Subsystem  40  depends  on  subsystem  50. 

8.  Set  21  depends  upon  an  input  from  another  system. 


FIGURE  8-1.  Typical  System  Symbolic  Logic  Block  Diagram' 
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I 


level 


UNIT 


ASSEMBLY 


SUBASSEMBLY 


I 01B1 

J 


1A1A1Q1 

1A1A1Q2 

1A1A1C1 

1A1A1C2 

1ATA1H1 


1.  Unit  01B1  depends  on  assemblies  1A1,  1A2  AND  either  "IA3  AND  1A5'  OR 
'1 A4  AND  1A6.' 

2.  Assembly  1A1  depends  on  subassemblies  1A1A1  AND  1A1A2, 

3.  Assembly  1A2  depends  on  subassembly  1A2A1, 

4.  Subassembly  1A1A1  depends  on  all  parts  contained  therein. 


i 


i 


FIGURE  8-2 


Typical  Unit  Symbolic  Logic  Block  Diagram ‘ 
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TABLE  8-1.  PART  FAILURE  MODES' 


PART 

IMPORTANT  FAILURE  MODES  AND  APPROXIMATE 
PERCENTAGES  OF  OCCURRENCE 

Bearings 

Loss  or  deterioration  of  lubrication 

45 

Contamination 

30 

Misalignment 

5 

Brinelling 

5 

- Corrosion 

5 

Blowers 

Winding  failures  - 

35 

Bearing  failures 

50 

Sliprings,  brushes,  and  commutators 

5 

Capacitors-Fixed 

Short  circuits 

50 

Ceramic  Dielectric 

Change  of  value 

40 

Open  circuits 

5 

Capacitors-Fixed 

Open  circuits 

40 

Electrolytic  Aluminum 

Short  circuits 

30 

Excessive  leakage  current 

15 

Decrease  in  capacitance 

5 

Capacitors-Fixed,  Mica 

Short  circuits 

70 

cr  Glass  Dielectric 

Open  circuits 

15 

Change  c£  value 

10 

Capacitors-Fixed 

Open  circuits 

65 

Metallized  Paper 

Short  circuits 

30 

cr  Film 

Capacitors-Fixed 

Short  circuits 

90 

Paper  Dielectric 

Open  circuits 

5 

Capacitors-Fixed, 

Open  circuits 

35 

Electrolytic.  Tantalum 

Short  circuits 

35 

Excessive  leakage  current 

10 

Decrease  i n capacitance 

5 

Choppers 

Cinfcact  failures 

95 

Coil  failure 

5 

Circuit  Breakers 

Mechanical  failure  of  tripping  device 

70 

Cl  utchfts-Miflnttic 

Bearing  wear 

45 

Loss  of  torque  due  to  internal  mechanical 

30 

Loss  of  torque  dua  to  coil  failure 

15 

Coils 

Insulation  deterioration 

75 

Open  w i n d i i 

25 

Connectors,  Interstage 

Shorts  (poor  sealing) 

30 

Mechanical  failure  <£  solder  joints 

25 

Degradation  of  insulation  resistance 

20 

Poor  contact  resistance 

10 

Miscellaneous  mechanical  failures 

15 

Connectors,  Standard 

Contact  failure 

30 

Materiel  deterioration 

30 

Mechanical  failure  cf  solder  joints 

25 

Miscellaneous  mechanics!  failures 

15 

Crystal  Units, 

Opens 

80 

Quartz 

No  oscillations 

10 

Diodes,  Silicon 

Short  circuits 

76 

and  Germanium 

Intermittent  circuits 

18 

Open  circuits 

6 

Electron  Tubes 

Degradation  (gm,  Rik,  Ip.  etc.) 

90 

(Subminiature) 

Catastrophic  (shorts,  opens,  cracked 

10 

envelopes,  etc.) 
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TABLE  8-1.  PART  FAILURE  MODES'  (cont'd) 


PART 

IMPORTANT  FAILURE  MODES  AND  APPROXIMATE 
PERCENTAGES  OF  OCCURRENCE 

Hose  Assemblies 

Material  deterioration 

85 

(Rubber) 

End  fitting  mechanical  failure 

10 

Indicator  Lights 

Catastrophic  (opera) 

75 

Degradation  (corrosion,  solderability) 

25 

Insulators 

Mechanical  breakage 

. 50 

Deterioration  <±  plastic  material 

50 

Lamps  Incandesoent 

Catastrophic  (filament  breakage, 

10 

glass  breakage) 

Degradation  (loss  of  filament  emission) 

90 

Magnetrons 

Window  puncturing 

20 

Cathode  degradation  (resulting  from  arcing 

40 

and  sparking) 
Gassing 

30 

Meters,  Ruggedized 

Catastrophic  (opens,  glass  breakage, 

75 

open  seals! 

Degradation  (accuracy,  friction,  damping) 

25 

Motors  Drive 

Winding  failures 

20 

and  Generator 

Bearing  failures 

20 

Siipr'mg  brushes,  and  commutators 

5 

Motors.  Servo 

Bearing  failures 

45 

and  Tachometer 

Winding  failures 

40 

Oil  Seals  (rubber) 

Material  deterioration 

85 

O-Rings  (rubber) 

Material  deterioration 

90 

Relays 

Contact  failures 

75 

Open  coils 

5 

Resistor*-  Fixed , 

Open  circuits 

80 

Carbon  and  Metal  Film 

cha-ge  of  value 

20 

Resistors-Fixed, 

Change  of  value 

95 

Composition 
Resistors- V triable. 

Erratic  operation 

95 

Composition 

Insulation  failure 

5 

Resiston-Veriable, 

Erratic  operation 

55 

Wirewound 

Open  circuits 

40 

Change  of  value 

5 

Resistora-Variabi*. 

Open  circuits 

70 

Wirewound,  precision 

Excesive  noise 

25 

Switches,  Rotary 

Intermittent  contact 

90 

Switcher,  Toggle 

Spring  breakage  (fatigue) 

40 

Intermittent  contact 

50 

Synchros 

Winding  failures 

40 

Bearing  failures 

30 

Slipring  and  brush  failures 

20 

Thermistors 

Open  circuits 

95 

Transformers 

Shorted  turns 

80 

Open  circuits 

5 

Transistors 

High  Collector  to  base  leakage  current  (lefo! 

59 

Germanium  and  Silicon 

Low  Collector  to  emitter  breakdown  voKege 

37 

(Bvceo) 

Open  terminals 

4 
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TABLE  8-1.  PART  FAILURE  MODES'  (cont'd) 


PART  IMPORTANT  FAILURE -MODES  AND  APPROXIMATE 

PERCENTAGES  OF  OCCURRENCE 


Valvas-Check 

Poppets  sticking  (open  or  closed) 

40 

and  Relief 

Valve  seat  deterioration 

50 

Varistors 

Open  circuits 

95 

Vibration  Isolators 
(rubber  type) 

Material  deterioration 

85 

Vibration  Isolators 

Degradation  of  damping  medium 

80 

(spring  type) 

Spring  fatigue 

5 

Vibrators 

Contact  failures 

80 

Open  winding 

5 

Spring  fatigue 

15 

(1) 

ITEM 

(2) 

CODE 

(3) 

FUNCTION 

(4} 

FAILURE 

MODE 

(5) 

FAILURE 

EFFECT 

(6) 

LOSS 

PROBABILITY,  P 

FIGURE  8-3.  Failure  Effects  Analysis  Form' 
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TABLE  8-2.  COLUMN  DESCRIPTIONS  FOR  FIGURE  8-3 


COLUMN 

NOMENCLATURE 

DESCRIPTION 

1 

Item 

Item  name 

2 

Code 

Item  identification  or  circuit 
designation  code 

3 

Function 

Concise  statement  of  the  item’s 
function 

4 

Failure  Mode 

Concise  statement  of  the  mode(s) 
of  item  failure 

5 

Failure  Effect 

Explanation  of  the  effect  of  each 
failure  mode  on  the  performance 
of  the  next  higher  level  in  the 
symbolic  logic  block  diagram 

6 

Loss  Probability,  0 

Numerical  index  indicating  the 
probability  of  system  loss  if  the 
item  fails  in  the  mode  indicated 

*,,•  = failure  mode  frequency  ratio  of 
item  i for  the  failure  mode  j (see 
Table  8-1  for  an  example);  i.e.,  the 
ratio  of  failures  of  the  type  being 
considered  to  all  failures  of  the 
item 

Pjj  = loss  probability  of  item  / for  failure 
mode  J (i.e.,  the  probability  of 
^sten  failure  if  the  item  fails).  A 
suggested  scale  is  Gbctarin  Loss-1.00, 
Probable  Loss-0. 50,  Possible  Loss- 
0.10,  No  Effect-0.0 
A,  = failure  rate  of  item  i 
(CR),  = system  failure  rate  due  to  item  i’s 
failing  in  its  mode  j. 

The  system  criticality  is  given  by  Eq.  8-2. 

iCR),  = E E (CR)ii  (8-2) 

i — l j =»  1 

(CR)$  = system  criticality  (failure  rate) 

Ej  = sum  over  all  failure  modes  of 

item  / 

2,  = sum  over  all  items. 

A form  useful  for  conducting  the  critical- 
ity analysis  is  given  in  Fig.  8-5.  This  form  is  a 


modification  of  Fig.  8-3  to  include  the  failure 
mode  frequency  ratio  and  the  failure  rate. 

Example  Problem  No.  1 2 illustrates  the 
procedure. 

The  CR  value  of  the  preamplifier  unit  is 
4.6  per  106  hr  (rounded  off  to  2 significant 
figures).  This  number  can  be  interpreted  as 
the  predicted  total  number  c£  system  failures 
per  hour  due  to  preamplifier  failures.  Whether 
or  not  this  number  is  excessive,  and  thus  calls 
for  corrective  action,  depends  upon  the  re- 
quirements for  the  system  and  the  criticalities 
for  other  units  in  the  system.  If  the  number  is 
excessive,  it  can  be  reduced  by  any  c£  the 
following  actions: 

(1 ) Lowering  the  failure  rates  of  parts  in 
the  system  by  derating 

(2)  Decreasing  the  failure  mode  fre- 
quency ratio  through  selection  of 
other  parts 

(3)  Decreasing  the  loss  probability  by 
changing  the  system  car  preamplifier 
design 

(4)  Redesign  using  various  techniques 

such  as  redundancy,  additional  cool- 
ing, or  switching. 
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Example  Problem  No.  12 


The  detail  design  of  a radar  system  requires  the  use  of  FMEA  to  determine  the  ef  feet  of  item 
failure  on  the  system.  The  FMEA  analysis  must  be  performed  at  this  time  prior  to  freezing  the 
design.  Perform  an  FMEA  analysis  as  follows: 


Procedure 

(1)  Develop  a symbolic  logic  block  diagram 
of  the  radar  system.  The  units  making  up 
the  receiver  subsystem  are  shown  in  de- 
tail. In  an  actual  analysis,  symbolic  dia- 
grams must  be  constructed  for  all  other 
subsystems- 

(2)  Fill  in  the  work  sheets  for  all  units  in  the 
receiver  subsystem.  Repeat  this  pro- 
cedure for  all  subsystems. 

(3)  Qualitatively  estimate  the  values  of  loss 
probability  0 for  each  part. 

(4)  Determine  the  failure  mode  frequency 
ratio  a for  each  failure  mode  of  every 
part. 

(5)  Tabulate  failure  rates  for  each  com- 
ponent. 

(6)  Compute  the  CR  value  for  each  failure 
mode  of  each  part  by  Eq.  8-1 . 


(7)  Compute  the  total  CR  for  the  unit  ( CR)S 
by  Eq.  8-2. 


Example 


See  Fig.  8-4. 


See  Fig.  8-5. 

An  analysis  indicates  that  for  this  system  the 
following  values  of  0 are  applicable:  1.0, 0.1, 
and  0. 

The  resistor  20A1R1  is  fixed,  film  (Fig.  8-5); 
from  Table  8-1,  it  has  two  failure  modes: 
open  and  drift,  a(open)  = 0.8  and  a (drift)  = 

0.2. 

\(20A1R1)  = 1.5  per  106  hr  for  example. 

CR(20A1R1  - open)  = 0.80  X 1.00  X 1.5 

X 106  hr 
= 1.2  per  106  hr 

CR(20A1R1  - drift)  = 0.20  X 0.10  X 1.5 

per  106  hr 
= 0.030  per  106  hr 
(8-3) 

The  total  CR  for  the  preamplifier  unit  is 
4.635  per  106  hr  (See  Fig,  8-5). 
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CRITICALITY  WORK  SHEET 

SYSTEM  Radar  12! 
SUBSYSTEM  Receiver  20 

UNIT  Preamplifier  20A1  PAGE  1 OF  2 

Parts 

lit 

Item 

(2) 

Coda 

13) 

Function 

(4) 

Failure  Mode 

(5) 

Failure  Effect 

(6) 

Loss 

’robabi  lity 
10) 

17) 

Failure 

Mode 

Frequency 

Ratio 

(a) 

(8) 

Failure 

Rate 

(Per  Millior 
Hours) 
(X) 

(9) 

Critica  lity 
(CR) 

(10) 

Comments 

Resistor 

20  A 1 R 1 

Voltage  Divider 

Open 

No  Output 

1,00 

0.80 

1.5 

1,200 

Film  Resistor 

Resistor 

20A1R1 

Voltage  Divider 

Change  of  Value 

Wrong  Output 

0.10 

0.20 

1.5 

0.030 

Film  Resistor 

Resistor 

20A1R2 

Voltage  Divider 

Open 

No  Output 

1.00 

0.80 

1.5 

1.200 

Film  Resistor 

Resistor 

20A1R2 

Voltage  Divider 

Change  of  Value 

Wrong  Output 

0.10 

0.20 

1.5 

0.030 

Film  Resistor 

Capacitor 

20A1C3 

Decoupling 

Open 

No  Effect 

0.00 

0.36 

022 

0.000 

Tubular  Tantalum 

Capacitor 

20A1C3 

Decoupling 

Short  Circuit 

No  Output 

100 

0.35 

0.22 

0.077 

Tubular  Tantalum 

Capacitor 

20A1C3 

Decoupling 

H i h Leakage  Current 

No  Effect 

0.00 

0.20 

0.22 

0.000 

Tabular  Tantalum 

Capacitor 

20A1C3 

Decoupling 

Decrease  in  Capacitance 

No  Effect 

0.00 

0.10 

0.22 

0.000 

Tabular  Tantalum 

Diode 

20A1CR3 

Voltage  Divider 

Short  Circuit 

No  Output 

1.00 

0.75 

1.0 

0.750 

Diode 

20A1CR3 

Voltage  Divider 

Intermittent  Ckt 

No  Output 

1,00 

0.20 

1.0 

0.200 

Oioda 

20A1CR3 

Voltage  Divider 

Open  Circuit 

No  Output 

1.00 

0.06 

1.0 

04)50 

Transistor 

20A1Q4 

Amplifier 

High  Collector  to  Base 
Leakage  Current 

No  Output 

1.00 

0.60 

3.0 

1.800 

Transistor 

20A1Q4 

Amplifier 

Low  Bvceo 

No  Output 

1.00 

0.35 

3.0 

1.050 

Transistor 

20A1Q4 

Amplifier 

Open  Terminals 

No  Output 

1.00 

0.05 

3 0 

0.150 

Transformer 

20A1T5 

Coupling 

Shorted  Turns 

Wrong  Output 

0.10 

0.80 

0.30 

0.024 

CRITICALITY  TOTAL  FOR  UNIT  4,835 

TOTAL  4.551 

FIGURE  8-5.  Determination  of  Preamplifier  Criticality' 
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SYSTEM  Radar  (2) 

UNIT  Preamplifier  20A1 

PAGE  2 OF  2 

CRITICALITY  WORK 

SHEET 

SUBSYSTEM  Receiver  20 

Parts 

111 

(2) 

(3) 

(4) 

(SI 

16) 

(7) 

(8) 

(9) 

(10) 

Item 

Code 

Function 

failure  Mode 

Failure  Effect 

Loss 

Failure 

Failure 

Criticality 

Comments 

Probability 

Male 

Rate 

(0) 

Frequency 

Per  Million 

ICR) 

Ratio 

Hours) 

(a) 

(X) 

Tranrformer 

20A1TS 

Coupling 

Open  Ckt. 

No  Output 

1.00 

0.20 

0.30 

0.060 

Composition 

Resistor 

20A1R6 

Bias 

Open  Ckt, 

No  Output 

1.00 

0.05 

0.005 

0,000 

Composition 

Retiator 

20A1R6 

Bias 

Chnge  of  Value 

No  Effect 

0.00 

095 

0.005 

0.000 

Composition 

Capacitor 

20A1C7 

Bypao 

Open  Ckt, 

No  Effect 

0.00 

0.40 

0.48 

0.000 

Aluminum 

Capacitor 

20A1C7 

Bypau 

Short  Ckt. 

VMong  Output 

0.10 

0.30 

0.48 

0,014 

Electrolytic 

Capacitor 

20A1C7 

By  pan 

High  Leekapa 

No  Effect 

0.00 

0.20 

0.48 

0.000 

Current 

Capacitor 

20A1C7 

Bypaaa 

Oecrease  in 

No  Effect 

OHO 

0.10 

0.48 

0.000 

Capacitance 

• 

CRITICALITY  TOTAL  FOR  UNIT  4.635 

TOTAL  0,074 

FIGURE  8-5.  Determination  of  Preamplifier  Criticality  (cont'dl, 


) 
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8-4  COMPUTER  ANALYSIS 

A computer  can  be  quite  useful  in  per- 
forming an  FMEA,  since  a large  number  of 
computations  and  a large  amount  of  record 
keeping  are  often  required  for  systems  of 
reasonable  size. 

In  the  failure  effects  portion  of  the  analy- 
sis the  computer  is  used  primarily  for  func- 
tion evaluation,  using  performance  models. 
On  the  assumption  that  the  computer  pro- 
gram contains  the  design  equations  relating 
system  outputs  to  various  design  parameters, 
each  item  is  allowed  to  fail  in  each  one  of  its 
modes,  and  the  effect  on  the  system  is  com- 
puted. 

Several  computer  programs  are  available 
for  evaluating  circuits.  The  NET-1  (Ref.  3) 
network  analysis  program  can  be  used  for  a 
failure  effects  analysis  of  a circuit  containing 
transistors  and  passive  circuit  elements.  The 
value  of  all  of  the  circuit  performance  param- 
eters would  be  printed  out  for  each  abnormal 
condition.  NET-1  does  not  automatically  con- 
sider failure  modes  of  circuit  parts  such  as 
shorts  and  opens;  investigation  of  these  re- 
quire manually  setting  up  a new  run  for  each 
set  of  values  of  the  parts.  A shorted  resistor 
would  have  zero  resistance  and  an  open  resist- 
or would  have  infinite  resistance. 

Circuit  analysis  programs  such  as  ECAP 
(Electronic  Circuit  Analysis  Program)  (Ref. 
4),  which  accept  a topological  input  descrip- 
tion of  the  circuit  and  synthesize  the  circuit 
equations,  can  be  used  to  evaluate  failure 
effects,  but  computer  running  time  can  be- 
come excessive  since  the  circuit  equations 
may  have  to  be  generated  over  again  for  each 
run.  For  extreme  failure  modes  such  as  an 
open  or  a short  of  a part,  the  circuit  configu- 
ration is  changed  and  a completely  new  solu- 
tion is  required. 

The  AMAP  (Automated  Failure  Mode 
Analysis  Program)-(Ref.  5)  is  a circuit  analysis 
program  that  automates  the  failure  effect 
analysis  for  DC  circuits.  It  repeatedly  solves 
the  circuit  equations,  computing  and  printing 


circuit  node  voltages,  for  failure  modes  such 
as  open  and  short  of  parts  and  shorts  between 
all  node  pairs.  However,  AMAP  includes  only 
resistors,  diodes,  transistors,  power  supplies, 
and  nodes.  This  automated  approach  to  fail- 
ure effects  analysis  can  be  used  effectively  in 
other  types  of  systems  such  as  structures  and 
propulsion  systems,  but  no  programs  are 
known  which  providelhese  capabilities. 

Two  other  programs  that  can  be  used  for 
FMEA  are: 

(1) IM  045-NAA:  Analyzes  failure  mode 
effects  at  system,  subsystem,  or  part 
level.  (Ref.  6) 

(2)  IM  066-NAA:  Revision  of  IM 

045-NAA.  (Ref.  8) 

(3)  IM  063-NAA:  Analyzes  failure  mode 
effects  at  system,  subsystem,  or  part 
level.  (Ref-  7). 
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CHAPTER  9 MODELS  FOR  FAILURE 


9-0  LIST  OF  SYMBOLS 


A 

= 

parameter  in  Eq.  9-50 

a,b 

= 

width  and  length  of  a plate 

Cdf 

= 

Cumulative  distribution  func- 
tion 

cf,c; 

= 

coefficients  in  linear  expan- 
sion, defined  by  Eqs.  9-31C,  D 

D 

= 

diameter 

d 

= 

design  load  factor 

E 

= 

Young's  modulus,  modulus  of 
elasticity  (units  of  stress) 

e 

= 

strain  (dimensionless) 

F 

= 

strength 

f 

- 

stress 

G* 

Cdf  {<*>} 

G, 

= 

Sf  {0} 

g<p 

- 

pdf  {</>} 

gauf 

— 

Cdf  for  a standard  s-nonnal 
(Gaussian)  variable 

gaufc 

Sf  for  a standard  s-normal 
(Gaussian)  variable 

GJH 

= 

parameters  in  Eq.  9-50 

h 

— 

thickness  of  a plate 

l 

= 

length 

MS 

= 

margin  of  safety 

n 

= 

limit  load  factor 

n 

= 

number  of  x^s 

Nt,  Ns 

= 

parameters  in  Eq.  9-50 

P 

= 

power,  Eq.  9-50 

pdf 

= 

probability  density  function 

Po 

parameter  in  Eq.  9-50 

- 

load,  limit  load,  design  load 

PSM 

= 

probabilistic  safety  margin 

Q 

= 

probability  of  failure 

Sf 

— 

Survivor  function,  Sf  = 1 — 

Cdf 

T 

= 

temperature,  Eq.  9-50 

t,u 

= 

subscripts  -*  tensile,  ultimate 

u 

= 

stress  or  strength,  random 
variable 

xi 

= 

23ndon  variable  i 

y 

= 

a function 

a 

scale  parameter  (same  units  as 

«) 

0 

- 

shape  parameter  (dimension- 
less) 

y 

= 

location  parameter  (same  units 
as  vl) 

7* 

& 

n 

^R  Afi 
n R 'nE 


°* 

0 

<t> 


coefficient  of  variation,  defin- 
ed by  Eq.  9-3 IB 
elongation 
defined  by  Eq.  9-36 
failure  rates,  see  Eqs.  9-49, 
9-50 

mean  value  of  <t> 
application  factors  for  resistor 
failure  rates 

failure  rate  term,  see  Eq.  9-49 
standard  deviation  <p 
parameter  s of  a distribution 
parameter  k of  a distribution 
general  name  for  a random 
variable,  it  can  be  f,  F,  orF  - f 


9-1  INTRODUCTION 

Two  main  classifications  of  material 
behavior  are  introduced  for  “things  that  cause 
failure”,  i.e., 

(1)  Stress-strength.  Any  stress  below  the 
failure-stress  (strength)  produces  only  a re- 
versible effect  (such  as  elongation  or  increased 
electric-current  flow) , When  the  stress  is  re- 
moved, there  is  no  damage— no  evidence  that 
the  stress  was  ever  there.  A good  example  is 
tensile  stress  in  a steel  bar. 

(2)  Damage-endurance.  The  application 
of  a damager  (such  as  a corrosive  fluid)  pro- 
duces damage  that  cumulates  (usually  irrevers- 
ibly). When  the  damager  is  removed,  the 
damage  remains;  if  the  damager  is  applied 
again,  the  damage  increases  again.  The  item 
fails  when  the  damage  exceeds  the  endurance 
of  the  material.  A good  example  is  fatigue 
damage  in  aluminum  alloys  due  to  fluctuating 
bending  stresses. 

Both  can  be  treated  either  detenninistically  or, 
probabilistically.  Data  on  probabilistic  behav- 
ior are  very  difficult  (expensive  and  time  con- 
suming) to  obtain. 

The  simple  explanations  of  stress-strength 
and  damage-endurance  belie  the  complicated 
nature  of  failure  in  materials.  Structural  mate- 
rials have  many  modes  of  failure;  e.g.,  tensile, 
bending,  shear,  corrosion,  impact,  ductile, 
brittle,  fatigue,  corrosion-fatigue,  stress-cor- 


9-1 


AMCP  706-196 


rosion,  embrittlement,  fretting  corrosion,  and 
mechanical  abrasion.  A description  of  a steel 
alloy  as  “high  strength”  can  be  very  mislead- 
ing. Usually,  in  that  case,  only  uniaxial  ten- 
sion failure  is  implied,  and  all  other  failure 
modes  are  neglected.  The  impact  strength,  cr 
ductile-brittle  transition  temperature  might  be 
very  poor. 

Generally  speaking,  when  specialty  mate- 
rials are  being  used,  a specialist  on  each  mate- 
rial ought  to  be  consulted.  Metallurgists  and 
material  engineers  are  the  most  likely  consult- 
ants in  this  area.  MIL-HDBK-5  (Ref.  3)  is  a 
good  source  of  material,  but  does  not  cover 
all  failure  modes.  Handbooks  such  as  Refs. 
10,  11  are  helpful.  Ref.  1 2 is  a good  book 
which  describes  some  failure  modes  of  metals 
and  gives  case  histones.  Every  designer  should 
read  some  case  histories  of  structural  failures. 
It  can  be  a sobering,  humble  experience. 

This  chapter  introduces  several  types  of 
mathematical  analysis;  it  does  not  discuss  the 
detailed  knowledge  of  materials  that  is  so  nec- 
essary to  good  structural  design.  The  designer 
ought  also  to  be  aware  that  it  is  one  thing  to 
specify  a material  with  certain  guaranteed 
properties;  it  is  another  thing  to  get  the  prop 
erties,  month  after  month,  on  every  bit  of 
material  delivered  under  that  specification. 

The  stress/strength  notation  used  in  this  chap 
ter  is  taken  from  MIL-HDBK-5  (Ref.  3,  July 
72  update).  It  uses  F for  strength  and  f for 

Stress. 

9-2  (DETERMINISTIC  STRESS-STRENGTH 

A general  stress-strength  model  can  be 
stated. 

“There  exist  a scalar  S and  a value 
cf  that  scalar  S*  such  that  the  part 
fails  if  and  only  if  S > S*  (S*  is  the 
strength),  values  of  5 < S*  dono  dam- 
age to  the  part;  in  fact,  damage  less 
than  failure,  has  no  meaning.  S can 
only  depend  reversibly  on  the  environ- 
ment (mechanical,  electric,  fluid,  tem- 
perature, etc.)  cf  the  part.” 

The  breakdown  voltages  cf  semiconductor  de- 
vices and  tensile  failures  of  structural  mate- 
rials are  presumed  to  be  adequately  described 
by  this  model. 


Even  in  mechanics  where  this  model  is 
applicable,  determining  the  parameter  S is  not 
always  easy.  Ref.  13  lists  six  stress-strength 
models  for  failure  with  multiaxial 
stresses:  maximum  principal  stress  (Rankine), 
maximum  shear  stress  (Coulomb),  maximum 
strain  energy  (Beltrami),  maximum  distortion 
energy  (Huber,  von  Mises,  Hencky),  maxi- 
mum strain  (Saint-Venant),  and  internal 
energy  (Mohr).  For  ductile  materials  the  dis- 
tortion energy  model  is  best  when  the  ten- 
sion/compression properties  are  the  same,  and 
the  internal  energy  model  is  best  when  they 
are  not  the  same  (Ref.  13).  Safety  codes  tend 
to  use  the  maximum  shear  model  for  ductile 
materials  and  maximum  principal  stress  model 
for  brittle  ones.  In  each  case,  the-strength  is 
derived  by  comparison  with  the  parameter  of 
the  model  when  evaluated  for  uniaxial  stress. 
This  detailed  example  illustrates  the  complex- 
ity of  the  subject  even  in  a situation  that 
“everyone  knows  and  understands”  and 
where  generalization  is  easy.  In  this  example, 
even  though  more  than  one  dimension  of 
stress  are  combined,  they  are  of  the  same 
nature,  viz.,  mechanical  stress.  The  complex- 
ity that  can  arise  when  this  is  not  true  is  not 
often  appreciated. 

The  criteria  for  failure  have  been  implic- 
itly presumed  to  exist.  Failure  must  be  explic- 
itly defined,  and  S'  depends  on  that  defini- 
tion. For  example,  there  are  both  yield  and 
ultimate  strengths  of  metals  which  are  defined 
differently,  and,  for  semiconductor  devices, 
the  breakdown  voltages  usually  are  defined  in 
terms  c£  a specific  current  or  a change  in  cur- 
rent. 

It  is  conceptually  easy  to  extend  the 
simple  stress- strength  theory  to  the  case 
where  several  different  failure  inodes  exist.  If 
they  are  independent,  the  resultant  strength  is 
fairly  simple,  if  rot,  the  synergistic  effects 
can  be  taken  into  account  in  principle.  In 
practice,  the  problem  is  difficult  if  not  impos- 
sible and  is  not  pursued  very  far.  Instead,  sim- 
plifying assumptions  are  made  and  life 
marches  on. 

9-2.1  TENSILE  STRENGTH 

This  paragraph  deals  with  tensile/com- 
pressive stress.  The  same  principles  are  appli- 
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cable  to  other  mechanical  stress  and  to  more 
generalized  “stresses”  such  as  electric  field. 
MIL-HDBK-5  (Ref.  3)  ought  to  he  consulted 
for  a more  comprehensive  discussion.  No 
mechanical  designer  ought  ever  to  be  without 
the  latest  version  of  MIL-HDBK-5. 

A structural  nonviscoelastic  material 
undergoes  strain  when  a uniaxial  stress  is 
applied.  Most  such  materials  have  a linear 
region,  i.e.,  Hooke’s  law  holds  as  long  as  the 
stress  is  not  too  high. 

f,  =eE  (9-1) 

where 

ft  = tensile  stress,  force/area 
e = strain  (elongation/original  length), 
dimensionless.  Strain  is  often  given 
“units”  of  inches/inch. 

E = modulus  of  elasticity,  force/area. 

Even  though  the  modulus  of  elasticity  is  inde- 
pendent of  stress  and  strain  in  the  linear  re- 
gion (by  definition  of  linear  region),  it  does 
depend  on  temperature  and  on  material  com- 
position and  structure.  Although  for  ferrous 
alloys,  it  is  remarkably  independent  of  com- 
position and  structure. 

Beyond  the  limits  of  Hooke ‘s  law,  strain 
increases  as  the  stress  increases,  but  the  linear- 
ity ceases.  Plotting  stress  against  strain  for  any 
material  gives  the  tensile-test  diagram.  Fig. 
9-1.  Fig.  9-l(A)  is  typical  of  a ferrous  material 
such  as  carbon  or  alloy  steel,  and  Fig.  9-l(B) 
is  typical  of  some  nonferrous  materials  such 
as  brass  and  aluminum  and  of  some  stainless 
steels.  The  important  distinction  between  the 
two  curves  is  that  Fig.  9-l(A)  shows  a definite 
inflection  point  and  change  of  curvature, 
whereas  Fig.  9-l(B)  does  not. 

Certain  points  on  these  curves  have  been 
defied  and  are  important  material  properties. 
Consider  first  the  stress-strain  curve  in  Fig. 
9-l(A).  The  region  from  zero  to  A is  a reason- 
ably straight  line,  showing  that  the  material  is 
obeying  Hooke's  law  (say,  within  0.1%orso). 
This  leads  to  the  definition  of  point  A as  the 
proportional  limit.  It  readily  can  be  seen  that 
the  equation  of  this  line  is  the  familiar  f,  = 
eE,  where  E is  the  slope. 

Beyond  point  A linearity  ceases,  and  at 
point  B a sudden  increase  in  elongation  takes 
place  with  little  or  no  increase  in  load.  This 


phenomenon  is  called  yielding,  and  point  B is 
called  the  yield  point  of  the  material.  The 
stress  associated  with  this  point  is  the  yield 
stress.  Once  this  point  is  reached  in  the  mate- 
rial, all  load  can  be  removed  from  the  speci- 
men and  the  stress  returned  to  zero,  but  a 
residual  strain,  permanent  set,  will  remain. 
Any  permanent  set  is  usually  considered  detri- 
mental to  a structural  member. 

Beyond  point  B , stress  and  elongation 
continue  to  change  until  the  maximum  stress, 
the  ultimate  stress,  is  reached  at  point  C.  Rup- 
ture of  the  material  occurs  at  point  D,  which 
is  reached  without  any  increase  in  stress  or 
load.  In  fact,  decreasing  the  load  beyond 
point  C will  not  necessarily  avert  fracture. 
The  curve  of  Fig.  9-l(A)  exhibits  this  definite, 
observed  yield  point;  one  which  easily  can  be 
recognized  as  it  occurs  during  a tensile  test. 
The  region  nearM  is  very  machine  dependent. 
The  fall-off  in  stress  is  caused  by  the  slow-rate 
of  pulling  the  specimen  by  the  tensile  ma- 
chine. 

The  materials  represented  by  Fig.  9-l(B), 
however,  do  not  exhibit  as  definite  a yield 
point,  although  the  other  points  on  the  curve 
are  defined  in  the  same  manner  as  their  coun- 
terparts in  Fig.  9-1  (A).  In  materials  such  as 
those  represented  by  Fig.  9-l(B),  it  generally 
is  accepted  that  the  yield  point  is  the  stress  at 
the  0.2  percent  “offset  point”,  viz.,  the  point 
at  which  the  actual  strain  exceeds  the  linearly 
extrapolated  strain  by  0.002.  To  find  this 
point,  draw  a line  through  the  point  (e  = 
0.002,  S = 0)  with  a slope  of  E;  where  this 
line  intersects  the  curve  is  the  0.2  percent 
yield  point  of  the  material. 

Similar  diagrams  will  result  for  tests  in 
compression  and  in  shear,  although  the  modu- 
lus might  be  different.  These  structural  prop 
erties  are  listed  in  tables  in  various  hand- 
books, such  as  MIL-HDBK-5  (Ref.  3)  whidh 
has  joint  military  service  approval. 

The  properties  presented  in  most  hand- 
books are  room-temperature  properties.  If  a 
problem  involves  elevated  temperatures,  the 
allow  able  properties  must  be  those  for  the  ele- 
vated temperature;  these  are  usually  lower 
than  the  room  temperature  properties. 
Although  the  tables  in  MIL-HDBK-5  generally 
are  room-temperature  values,  some  curves  do 
give  the  effects  of  temperature.  If  these  curves 
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are  inadequate,  the  Military  Specifications 
governing  the  specific  materials  ought  to  pre- 
sent the  elevated-temperature  data  required  if 
they  exist.  It  is  easy  for  the  designer  to  be 
lulled  by  a false  sense  of  security  by  data  in 
handbooks  and  supplier’s  literature.  Not 
much  really  is  guaranteed  unless: 

(1) The  data  to  be  guaranteed  appear  in 
the  purchase  order 

(2)  The  receiving  inspection  actually 
checks  it 

(3)  No  waivers  are  given  for  discrepant 
material. 

9-2.2  SAFETY  FACTORS,  LOAD  FAC- 
TORS, AND  MARGIN  OF  SAFETY 

Load  analysis  is  used  to  determine  the 
loads  which  exist  on  the  structure  under  con- 
sideration. Stress  analysis  is  the  means  by 
which  the  designer  detennines  whether  his 
structure  is  adequate  to  withstand  these  loads 
without  failure.  Since  no  universal  criteria  for 
failure  exist,  they  must  be.  defined  to  suit 
each  problem.  Mechanical  failure  can  be  di- 
vided into  four  general  categories: 

(1)  Rupture.  A physical  parting  of  the 
fibers  or  grains  of  the  material  when 
the  ultimate  (tensile  or  shear)  stress 
is  exceeded. 

(2)  Yielding.  The  stress  in  the  material 
exceeds  its  yield  stress  in  tension, 
compression,  or  shear  and  permanent 
set  takes  place. 

(3)  Buckling.  The  stress  exceeds  an  al- 
lowable stress  that  is  determined  by 
the  geometry  of  the  loaded  member. 
For  example,  columns  buckle  at  a 
stress  which  depends  upon  the  length 
to  radius-of-gyration  ratio;  thin  flat 
panels  buckle  under  a shear  stress 
that  depends  upon  the  ratio  of  panel 
width  to  metal  thickness. 

(4)  Deflection.  Since  all  structural  mem- 
bers deflect  under  load,  this  deflec- 
tion becomes  a failure  criterion  in 
certain  problems,  particularly  those 
associated  with  vibration  environ- 
ments. 

Some  confusion  exists  among  designers  in 
the  definition  and  use  of  safety  factors,  load 
factors,  and  margins  of  safety. 


Therefore,  to  clarify  their  use  in  the  fol- 
towing  discussion,  they  are  defined  here. 

Safety  Factors.  Safety  factors  are  num- 
bers representing  a degree  of  uncertainty  in 
the  expected  load,  the  material  properties,  or 
other  pertinent  data  of  the  problem.  These 
are  applied  to  reduce  the  nominal  properties 
of  the  material  to  a lower  value  that,  shall  then 
not  be  exceeded  in«*he  design  calculations. 
For  example,  tensile  ultimate  stress  for 
20241 ‘4  aluminum  alloy  extruded  bar  stock  is 
published  in  MIL-HDBK-5  (July  72  update)  as 
57,000  psi  (for  < 0.50  in.  diameter;  L,A  ba- 
sis). A safety  factor  of  3 applied  to  a member 
designed  in  the  alloy  would  reduce  this  ulti- 
mate stress  to  an  allowable  stress  of  19,000 
psi.  Fatigue  from  repeated  or  cyclic  loads 
sometimes  is  treated  by  applying  a safety  fac- 
tor to  the  ultimate  stress  of  the  material  but  it 
is  better  to  use  fatigue  curves  if  they  are  avail- 
able. 

Abrupt  changes  in  cross  section,  notches, 
grooves,  or  other  discontinuities  ought  to  be 
avoided  in  the  design  of  structural  parts,  since 
these  function  as  stress  raisers.  When  these 
cannot  be  avoided,  the  designer  must  apply 
specific  design  factors  in  these  local  areas. 
Many  handbooks  publish  tables  and  examples 
or  guides  to  the  magnitude  of  design  factors 
which  can  be  used  and  which  are  considered 
adequate.  However,  the  engineer  must  be  cau- 
tioned to  use  care  in  his  selection  of  a design 
factor  from  a handbook  since  the  degree  of 
uncertainty  of  the  data  usually  is  not  pre- 
sented. 

Load  Factors,  Load  factors  are  numbers 
representing  multiplying  factors  applied  to 
the  load  on  the  structure.  Loads  can  be 
caused  by  any  number  of  environmental  con- 
ditions such  as  an  aircraft  in  arrested  landing 
or  in  catapult  take-off.  a truck  proceeding 
across  country  on  rough  or  bumpy  roads,  ora 
ship  subjected  to  an  underwater  blast  or  the 
firing  of  its  own  guns.  Load  factors  usually 
are  expressed  in  terms  of  g,  or  gravity  units- 
Since  the  load  analysis  has  been  perfonned 
under  a 1 -g  condition,  the  load  factors  easily 
can  be  taken  into  account  by  multiplying  cal- 
culated loads  and  reactions  by  the  proper  load 
factor.  By  this  simple  means,  it  is  easy  to  take 
into  account  different  loading  conditions  in 
different  directions  or, at  different  points  in 
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the  structure  without  directly  affecting  the 
original  load  analysis. 

Limit  Loud.  Limit  load  is  the  load  that 
the  structure  is  expected  to  experience— it  is 
the  limit  of  the  load  on  the  structure. 

Design  Load.  Design  load  is  larger  than 
the  limit  load  and  is  used  to  compare  the 
stress  in  the  structural  members.  Usual  prac- 
tice for  airborne  equipment  is  to  define: 

Design  Load  = 1.5  X (limit  load)  (9-2) 

Although  the  1.5  design  load  factor  can  be 
modified  by  the  individual  designer,  it  is  re- 
commended that  the  range  of  selection  re- 
main between  1.5  and  2.0.  Larger  factors  tend 
to  be  too  conservative  and  result  in  an  over- 
weight and  more  costly  structure. 

Margin  of  Safety.  Margin  of  safety  MS  is 
the  fraction  increase  of  the  computed  stress 
required  to  equal  the  allowable  stress.  It  is 
calculated  by  the  relationship: 

(allowable)  - /computed ) 

= , stress  / V stress  / (9.3) 

computed  stress 

If  the  computed  stress  equals  the  dowable 
stress,  there  is  obviously  a zero  margin  of  safe- 
ty, and  failure  is  imminent.  Therefore,  a posi- 
tive margin  is  desired  in  all  design,  and  experi- 
ence has  shown  that  a 15-percent  margin  is 
adequate  for  most  purposes.  Exceptions 
should  be  made  to  this  rule  in  some  instances 
where  a single  bolt  carries  the  load  in  tension 
(50-percent  nargin  recommended),  or  where 
a particularly  severe  design  condition  has  a 
negligible  possibility  of  occurrence  (zero 
margin  may  be  acceptable). 

Allowable  Stress.  An  allowable  stress  is  de- 
fined as  the  stress  that  a member  may  be 
allowed  to  reach  (zero  margin)  and  beyond 
which  failure  as  previously  defined  is  immi- 
nent. When  yielding  is  the  failure  cd-tprim, 
the  allowable  stress  is  the  yield  stress  as  modi- 
fied by  any  imposed  safety  factors.  For  all 
other  cases  (e.g.,  when  rupture  is  the  failure 
criterion),  the  allowable  stress  is  the  ultimate 
stress  of  the  material  (whether  taken  from  a 
handbook  or  calculated  from  a formula  such 
as  Euler’s  column  formula)  as  modified  by 
any  imposed  safety  factors.  In  some  special 
problems  where  it  is  specified  that  the  yield 


stress  shall  be  used  as  the  failure  criterion,  the 
limit  load  can  be  multiplied  by  some  lower, 
minimum  design  load  factor,  e.g.,  1.15,  in- 
stead c£  the  1.5  previously  noted  (to  conserve 
weight  and  cost).  All  problems’  and  examples 
in  this  discussion,  however,  consider  the  de- 
sign load  factors,  and  the  margins  of  safety 
are  computed  on  the  ultimate  stress- 

Some  sample  problems  will  illustrate  the 
preceding  discussion;  Example  Problem  No. 
13  follows. 

9-3  PROBABILISTIC  STRESS-STRENGTH 

Probabilistic  stress/strength  analysis  is  a 
reliability  analysis  technique  used  to  analyze 
structures  and  mechanical  and  electrical  com- 
ponents. Pioneering  work  in  this  field  was 
accomplished  by  Robert  Lusser  at  Redstone 
Arsenal.  A summary  cf  Lusser’s  work  is  pre- 
sented in  Ref.  1.  For  mechanical  systems,  the 
technique  consists  of  computing  the  proba- 
bility that  the  applied  stress  exceeds  the  mate- 
rial strength,  assuming  that  the  strength  varies 
from  item  to  item  and  the  applied  stress  is 
variable.  The  strength  of  a particular  class  of 
component  or  item  varies  because  of  irregular- 
ities in  the  manufacturing  process.  By  this 
technique  a system  can  be  designed  in  such  a 
way  that  the  probability  of  failure  is  below 
some  prescribed  value.  Once  the  allowable 
failure  probability  is  specified,  the  system 
design  parameters  can  be  computed. 

Probabilistic  stress/strength  analysis  is 
concerned  with  the  problem  of  determining 
the  probability  of  failure  of  a part  which  is 
subjected  to  a stress  f and  which  has  a 
strength  F (Ref.  4).  Both  f and  F are  assumed 
to  be  random  variables  with  known  distribu- 
tions; the  pdfs  of  f and  F are  illustrated  in 
Fig.  9-3.  Failure  occurs  whenever  stress  ex- 
ceeds strength.  Therefore,  the  probability  cf 
failure  is  equivalent  to  the  probability  that 
stress  exceeds  strength. 

The  definitions  of  terms  used  in  Fig.  9-3 
and  used  later  in  the  chapter  follow: 

pdf  = probability  density  function 
Cdf  = cumulative  distribution  function 
Sf  = survivor  function 
0 =parameters  of  the  distribution,  0 = 
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Example  Problem  No.  13 

A 2024T4  aluminum-alloy  rod,  10  in.  long  8,  is  loaded  with  2000  lb  P as  shown  in  Fig.  9-2. 
Find  the  diameter  D of  rod  required  to  support  this  load  when  subjected  to  a limit  load  factorn 
of  3.2,  a design  load  factor  d cf  1.5,  and  a minimum  margin  of  safety  MS  of  15percent:  (a)to 

avoid  rupture,  and  (b)to  have  a maximum  elongation  6 of  0.04  in.  under  1-g  conditions. 

Procedure  Example 


(1)  State  the  basic  conditions. 


Z = 10.  in. 
p = 2,000  lb 
n = 3.2 
d = 1.5 
MS  = 15% 


(9-4) 


(2)  Determine  the  ultimate  stress  Ftu  for  the 
2024T4  aluminum  rod  from  MIL- 
HDBK-5  (pp.  3-50, July  72 update). 

(3)  Since  rupture  is  the  defined  failure  crite- 
rion and  no  safety  factor  is  involved,  the 
allowable  stress  F is  taken  as  the  ultimate 
stress  Ftu.  kom  the  equation  for  margin 
of  safety  MS  (Eq.  9-3)  , the  computed 
stress  f , is: 

ft=F/(l+MS)  (9-6) 

(4)  Compute  the  required  limit  load  PL  by: 

Pt=nP  (9-8) 

(5)  Compute  the  design  load  Pd  by: 

Pd  = dPL  (9-10) 

(6)  Compute  the  required  cross-sectional  area 
Areq  of  the  rod  by: 

Areq  = Pdlf,  (9-12) 


Ftu  = 57  X 103  psi(L,A  basis)  (9-5) 


ft  = 57  X 103/(1  + 0.15) 

(9-7) 

= 49.6  X 10 

PL  = 3.2  X 2,000 

(9-9) 

= 6,4001b 

Pd  = 1.5  X 6,400 

(9-11) 

= 9,6001b 

Areq  = 9,600/49,600 
= 0.194  in.2 

(9-13) 

(7)  Compute  the  required  diameter  Dreq  of 
the  rod  by: 

Dr  e,  =(4A/?r)w  (9-14) 


(4  X 0.194/ir)* 


(9-15) 


(8)  Compute  the  elongation  6 oftherodby:  6 = 2,000  X 10/(0.194  X 10.8 

5 =Pi/{AE)  (9-16)  x 106)  (9-17) 

= 0.0095  in. 

where  E is  the  modulus  of  elasticity  = 

10.8  X 106  psi  (froha  MIL— HDBK-5 , pp. 

3-50,  July  72  update). 

The  elongation  (0.0095 in.)  is  well  within  the  elongation  limit  (0.04  in.).  Therefore,  the 
required  diameter  is  0.496  in,,  and  if  the  standard  machine-shop  tolerance  is  ± 0.010  in.,  the 
nominal  diameter  to  be  specified  is  0.506  in.  Standard  0.500  in.  diameter  extruded  bar  stock 
available  from  a warehouse  is  probably  the  practical  choice  in  this  problem,  because  the  tolerance 
cn  the  stock  is  less  than  ± 0.01 0 in.,  w hich  eliminates  the  need  for  machining. 
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FIGURE  9-2.  Aluminum  Simple  Uniaxial 
Tension’ 


it  helps  to  show  the  parameters  explicitly. 
The  distributions  of  stress  and  strength  are 
usually  assumed  to  be  one  of  the  tractable 
smooth  distributions  such  as  s-normal  (Gaus- 
sian), Weibull,  or  lognormal;  but  nature  itself 
is  rarely  restricted  by  mathetnatical  tract- 
ability  . 

The  concept  of  safety  factor  can  be  in- 
corporated into  probabilistic  stress/strength 
analysis  (Ref.  5).  In  par.  9-32,  a method  is 
described  for  quantitatively  defining  a safety 
factor  in  terms  of  the  possible  variations  of 
component  design  variables  and  for  comput- 
ing the  probability  of  safety  for  a given  load. 

9-3.1  COMPUTING  PROBABILITY  OF 
FAILURE 


To  compute  the  probability  of  failure, 
one  must  compute  the  probability  that  one 
random  variable,  called  stress , exceeds  anoth- 
er random  variable,  called  strength  (Ref.  4). 
In  practical  applications,  these  random  vari- 
ables are  s-independent  of  each  other. 

There  are  3 forms  in  which  the  proba- 
bility of  failure  can  conveniently  be  written. 


Q{©r,  gf(u;ep)C^(u,ef)du 

J0 

Q{9A,  ©f>=/*  gfHu&F)Gf(u,ef)du 
J n 


(9-18) 

(9-19) 


Q{0f.,}  = <^.,(0,-0^)  (9-20) 


f - stress  (also  used  as  subscript) 

F =strength  (also  used  as  subscript) 

F-f  = exceedance  of  strength  over  stress 
(also  used  as  subscript) 

4(*30*)  =pdf  cf  <P\  the  parameters  of  the 
distribution  are  0^ 

<^(*;e*)  = cdf  c£  <s>\  the  parameters  of  the 
distribution  are  0^ 

= Sf  cf  <(>',  the  parameters  of  the  dis- 
tribution are  0^ 

4>  = general  name  for  any  random  vari- 
able; it  can  be  fJF,  cr  F—f 

The  0 need  not  always  be  written,  because  a 

distribution  always  has  parameters;  but  often 


where  Q {•  ) is  the  notation  for  probability  of 
failure.  Eqs.  9-18  and  9-19  can  be  readily 
transformed  into  each  other  by  integrating  by 

parts. 

Eq.  9-18  is  obtained  fkom  Fig.  9-3  as 
follows.  Pick  a value  of  u as  illustrated  by  the 
vertical  dashed  line.  The  element  of  proba- 
bility-of-failure  is  the  probability  gf  (u;Qf)du 
that  the  stress  is  in  the  neighborhood  of  u 
times  the  probability  GF  (u@F ) that  the 
strength  is  below  u.  This  element  cf  proba- 
bility is  integrated  over  all  possible  values  of  u 
to  give  the  probability  cf  failure. 

Eq.  9-19  is  similarly  obtained  except  that 
the  element  of  probability-of-failure  is  the 
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FIGURE  9-3.  Typical  Probability  Density  Function  g of  Stress  f and  Strength  F. 


probability  gF(u;@ F)du  that  the  strength  is  in 
the  neighborhood  of  u times  the  probability 
Gf(u&f)  that  the  stress  is  above  u. 

Eq.  9-20  is  derived  by  considering  the  dis- 
tribution of  F-f.  GF  f(ir,@F  f)  is  the  Cdf  of 
F-±'  at  the  point  u.  The  failure  probability  is 
the  probability  that  F-f  ^ 0;this  probability 
is  Gf  f(0;@F  f)  by  definition  of  the  Cdf. 

Even  though  it  is  possible  to  use  any  of 
the  three  equations  9-18,  9-19,  9-20  in  a cal- 
culation, usually  one  will  be  much  more  tract- 
able than  the  others. 

The  solution  of  practical  problems  re- 
quires the  evaluation  of  an  integral.  For  some 
stress  and  strength  factors,  these  integrals  can 
be  expressed  in  terms  of  known  functions.  In 
other  cases,  the  integrals  must  be  numerically 
evaluated.  Several  practical  cases  are  consid- 
ered: 

(1)  s-Normully  Distributed  Strength  and 
s-normally  Distributed  Stress 

Given: 


lv  and  s-normally  distributed,  their  differ- 
ence has  a s-normal  distribution  whose  mean 
is  the  difference  of  the  2 means  and  whose 
variance  is  the  sum  of  the  2 variances.  (This 
statement  is  true  regardless  of  the  distribu- 
tions, but  the  results  are  very  tractable  for  the 
s-normal  distribution.)  Therefore  F-f  has  a 
s-normal  distribution  with  mean  juF  f 

VFr=VF  — lif  (9-21) 

and  standard  deviation  oFf 

oF.f  = [o*  + o*)*  (9-22) 

The  probability  of  failure  Q is.  from  Eq.  9-20 


(9-23) 


where  gauf  is  the  Cdf  of  the  standard  s-normal 
(Gaussian)  distribution.  (Named  analogously 
to  the  error  function.) 

Example  Problem  No.  14  illustrates  the 
procedure. 


(1)  Stress  f has  s-normal  (Gaussian)  distribu- 
tion with  mean  and  standard  deviation 

°f 

(2)  Strength  F has  s-normal  (Gaussian)  dis- 
tribution with  mean  pF  and  standard  de- 
viation oF . 

(3)  Stress  and  strength  are  s-independent. 
given  that  the  parameters  of  their  dis- 
tributions are  known. 

Find:  Probability  of  failure. 

Solution:  Eq.  9-20  is  easiest  to  use  be- 

cause the  distribution  of  F-f  is  easily  calcu- 
lated. If  2 random  variables  are  s-independent- 


(2)  Weibull  Distributed  Strength  and 
Weibull  Distributed  Stress 

Hie  Weibull  distribution  is  more  difficult 
to  work  with  than  the  s-normal  distribution. 
The  probability  of  failure  cannot  be  obtained 
in  closed  form.  The  procedure  used  to  com- 
pute the  probability  of  failure  for  cases  in 
which  both  stress  and  strength  have  Weibull 
distributions  is  to  develop  the  integral  expres- 
sion for  probability  of  failure  and  to  evaluate 
this  integral  numerically.  A detailed  table  of 
values  of  the  integral  for  Weibull  parameter 
values  pertinent  to  mechanical  problems  is 
given  in  Ref.  6. 
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Example  Problem  No . 14 : 

A mechanical  component  has  a s-normal  strength  distribution  with  = 22  X 103  psi  and  oF 
= 1.5  X 103  psi.  The  applied  stress  is  s-normally  distributed  with  nf  - 19  X 103  psi  and  af  = 2.0 
X 10 3 psi.  What  is  the  probability  of  failure? 


Procedure 

(1)  State  the  parameters  of  the  strength  dis- 
tribution. 


(2)  State  the  parameters  of  the  applied  stress. 


(3)  Compute  nF  f and  oF  f by  Eqs.  9-21  and 
9-22. 


(4)  Determine  the  probability  c£  failure  Q by 
Eq.  9-23,  This  probability  can  be  evalu- 
ated using  tables  cf  gauf,  w.,  s-normal 
(Gaussian)  Cdf. 


Example 


HF  = 22  X 103  psi  \ 
oF  = 1.5  X 103  psi  / 

(9-24) 

Uf  = 19  X 103  psi  \ 
of  = 2.0  X 103  psi  / 

(9-25) 

HF.f  = 22  X 103  - 19  X 103 
= 3 X 103  psi 

(9-26) 

oF.f  = [(1.5  X lO3)3  + (2.0  X 

103)*JV4 

= 2.5  X 103  psi 

(9-27) 

= gauf(—  1.2)  = 0.115 

(9-28) 
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The  most  useful  form  of  the  Weibull  Cdf 
for  stress/strength  reliability  prediction  is: 


Cdf{u } = exp 


(9-29) 


where 

y = location  parameter  (same  dimension 
as  u) 

« = scale  parameter  (same  dimension  as  u ) 
P = shape  parameter  (dimensionless) 
u = stress  or  strength 

See  Part  Six,  Glossary  and  Mathematical 
Appendix  for  more  discussion  of  the  Weibull 
distribution.  Eq.  9-18  or  9-19  is  used  for  the 
calculation  of  Q. 

(3)  Weibull  Distributed  Strength  and 
s-normally  Distributed  Stress 

This,  too,  is  intractable.  Eq.  9-18  or  9-19 
must  be  numerically  evaluated  for  every  case- 
Ref.  6 has  some  tables  for  this  case. 

The  reasons  that  stress  and  strength  are 
often  assumed  to  be  s-normally  distributed 
are: 


( 1 ) It  is  not  a terribly  bad  approxima- 
tion. 

(2)  Probabilities  of  failure  are  calculated 
readily,  once  the  data  are  known. 

(3)  It  is  difficult  enough  to  get  good 
data  for  your  problem,  even  with  this  simple 
assumption.  Most  structural  metals  are  order- 
ed by  a specification  that  is  not  well  related 
to  a sophisticated  probabilistic  analysis.  Most 
receiving  inspections  are  even  less  well  able  to 
assure  that  the  material  being  received  has  the 
properties  that  were,  assumed  in  the  calcula- 
tions. 


9-3.2  PROBABILISTIC  SAFETY  MARGIN 


The  probabilistic  safety  margin  relates 
the  mean  difference  . between  stress  and 
strength  to  the  uncertainty  in  that  difference. 
This  concept  generally  is  attributed  to  Lusser 
(Ref.  l).The  definition  of  probabilistic  safety 
margin  is: 


PSM  s t L± 

Oi-, 


At  ~ Pr 
(of.  + of  )* 


(9-30) 


where 

PSM  = probabilistic  safety  margin 
F = strength 
f - stress 

PF.f  ~ mean  of  F-f 

Op  .f  = standard  deviation  of  F-f 

F and  f are  presumed  to  be  s-independent;  so 
Eqs.  9-21  and  9-22  hold. 

The  PSM  is  sometimes  called  a safety  limit. 

The  statistical  properties  of  F are  pre- 
sumed to  be  known  directly;  while  thoseof  f 
must  be  calculated  from  other  information. 
Suppose  that  f is  a function  of  several  random 
variables  whose  coefficients  of  variation  are 
small  enough  that  the  function  can  reasonably 
be  linearized.  The  following  notation  is  used: 

f = y(*t,  *2>  ...  *„) 

i - index,  (=1,  . . . , n 
xt  = random  variable  which  affects  / (9-31A) 
n = number  of  variables 
#1,  = mean  cf  x. 

Of  = standard  deviation  of  x , 


1 i = °ilPi  (9-31 B) 

= coefficient  of  variation  of  xf,  7,-  <1 


dxs 


* 1 » 


c. 


Jy 

y a*, 

d in  y 
3 In  x, 


, -.E„ 

Pi.  -Pn 


(9-3 1C) 


(9-31D) 


Then  y is  presumed  to  be  expanded  in  a 
Taylors  series,  so  the  following  relationships 
will  hold: 

y - u,  = CAX r - pt)  + . . . + cn(*n  - #/„) 

(9-32) 

Uf  = y(pt^2.  ■Pnl'  (9-33) 
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o2f  = c2a2  + ...  + c%oz  (9-34) 

y2r  =<ci7i>2  + ...  + (c‘yn)2  (9-35) 

The  variations  are  given  usually  in  terms  of 
the  ct(  or  7;;  e.g.,  the  2-in.  thick  bar  has  a 
thickness  variation  of  a = 0.01  in.,  or,  it  has  a 
thickness  variation  of  y = 0.5%. 

The  random  variable  tj  defined  by  : 

H = (9-36) 

U F-f 

has  a distribution  which  generally  is  not 
known.  Its  mean  and  standard  deviation  are 
easily  shown  to  be: 

U = PSM  \ 

n „ l 0-37) 

since  n isjust  the  F-f  formalized  by  its  stand- 
ard deviation.  Eq.  9-20  can  be  used  to  find 
the  probability  of  failure,  for  a given  PSM,  if 
the  distribution  is  known.  In  the  absence  of 
knowing  the  distribution,  Chebyshev’s  (also 
spelled  Tchebycheff)  limit  often  is  used.  This 
limit  gives  the  greatest  fraction  of  any  dis- 
tribution that  can  be  in  the  tail  region  (p  and 
o must  be  known  exactly).  The  greatest 
2-sided  fraction  is  achieved  for  the  unlikely 
probability  mass  function  which  consists  of  a 
large  “spike”  of  mass  1-e*  at  the  mean  y.  ,and 
two  smaller  spikes  just  beyond  y ± 17  a,  each  of 
mass  e * /2,  where 

e*  = 1/tj2  (9-38) 

Eq.  9-38 is  Chebyshev’s  2-sided  limit,  i.e.,  the 
maximum  fraction  of  a distribution  which  can 
be  outside  the  range  p ± rj0 . A similar  analysis 
shows  that  the  1 -sided  limit,  the  fraction  that 
can  be  beyond  p + r?0,  is  l/(p2  + l).Table 

9-1  compares  the  Chebyshev  inequality  with 
the  s-normal  (Gaussian)  distribution. 

For  example,  if  a PSM  were  3.0,  the  max- 
imum (Chebyshev)  probability  of  failure 
(1-sided)  is  10%,  while  the  s-normal  (Gaus- 
sian) distribution  shows  0.14%.  While  nature 
is  rarely  as  bad  as  it  could  be,  it  is  often  much 
worse  than  we  would  like.  So  be  wary  of  us- 
ing the  s-normal  distribution  to  calculate  very 
low  probabilities. 

The  procedure  for  using  the  PSM  is  to 
find  the  standard  deviation  of  f from  Eqs. 
9-34  or  9-35  and  then  to  calculate  the  PSM. 


Usually  the  failure  probability  is  calculated 
from  the  Chebyshev  and  the  s-normal  formu- 
las. arid  the  engineer  uses  whatever  means  of 
reconciling  the  two  he  wishes;  the  Reason- 
able-Engineering-Guess for  this  purpose  is 
explained  and  tabulated  in  Table  9-1. 

Example  Problem  No.  1 5 shows  how  the 
method  works  in  practice. 

9-4  SIMPLE  CUMULATIVE -DAMAGE 

Fatigue  and  corrosion  are  very  common 
examples  of  failure  caused  by  a cumulation  of 
damage.  MIL-HDBK-5  contains  fatigue  curves 
for  many  metals.  It  takes  many  complicated 
curves  to  show  the  fatigue  behavior  of  one 
metal.  Even  then,  probabilistic  effects  are 
ignored.  Such  curves  are  usually  median 
curves— about  50  percent  of  the  specimens 
will  fail  above  the  curve,  and  50  percent 
below  the  curve. 

When  the  severity  level  of  the  damager 
(“stress”)  changes,  it  is  difficult  to  calculate 
the  cumulative  effect.  The  most  common 
assumption  is  a linear  one,  that  the  rate  of 
cumulating  damage  at  any  one  severity  level  is 
constant  over  the  life  of  the  item  and  is  inde- 
pendent of  any  damage  the  item  has  already 
cumulated.  It  is  not  really  a very  good 
assumption,  but  in  everyday  design  work,  it’s 
about  as  good  as  can  be  done. 

Some  of  the  treatments  in  pars.  9-2  and 
9-3  can  be  applied  to  cumulative  damage  since 
their  main  message  is  how  to  handle  uncer- 
tainties and  how  to  pay  attention  to  detail. 

MIL-HDBK-5  is  also  a valuable  source  of 
information  on  cumulative-damage  failure- 
modes  other  than  fatigue,  but  it  doesn’t  take 
the  place  of  a material  specialist. 

9-5  SEVERITY  LEVELS  FOR  ELEC- 
TRONIC EQUIPMENT 

Detailed  procedures  have  been  developed 
which  permit  the  computation  of  electronic 
component  catastrophic  failure  rates  as  a 
function  of  applied  “stress”  caused  by  opera- 
ting and  environmental  conditions  (Ref.  8),  A 
detailed  description  of  the  technique  is  given 
for  a specific  category  c£  component,  the 
fixed,  composition  resistor,  Sftyle  RC22, 


9-12  - 


AMCP  706-196 


TABLE  9-1 


Comparison  of  the  Chebyshev-limit,  the  s-normal  distribution  and  the 
Reasonable-Engineering-Guess  (REG)"  (Both  the  mean  and  standard 
deviation  are  presumed  known  exactly.) 


1 sided  tail 


(Table  gives  the  fraction  beyond  k standard  deviations,  in%) 


Chebyshev  limit  (CL) 

"REG 

s-Normal  (N) 

\/NX(CL)/REG 

k 

1/(k2  + 1) 

gaufc(0.8k) 

gaufc(k) 

** 

1.0 

50 

21 

16 

1.3 

1.5 

3L 

12 

6.7 

1.2 

2.0 

20 

5.5 

2.3 

1.2 

2.5 

14 

2.3 

.62 

1.3 

3.0 

no 

.82 

.14 

L4 

3.5 

7.5 

.26 

.023 

1.6 

4.0 

5.9 

.069 

.0032 

2.0 

4.5 

4.7 

.016 

.00034 

2.5 

5.0 

3.8 

.0032 

-000029 

3.3 

2 sided  tails 

(Table  gives  the  fraction  outside  ±k  standard  deviations,  in%) 

Chebyshev  limit  (CL) 

•REG 

s-Normal  (N) 

J NX(CL|/REG 

k 

1/k2 

2 gaufc(0.8k) 

2 gaufc(k) 

** 

1.0 

100 

42 

32 

1.3 

L5 

44 

23 

13 

1.0 

2.0 

25 

11 

4.6 

.97 

2.5 

16 

4.6 

1 2 

.95 

3.0 

11 

1.6 

.27 

1.1 

3.5 

8.2 

.51 

.047 

1.2 

4.0 

63 

.14 

.0063 

1.4 

4.5 

4.9 

.032 

.00068 

1.8 

5.0 

4.0 

.0063 

.000057 

2.4 

* The  Reasonable-Engineering-Guess  (REG)for  the  fraction  lying  in  a tail  region  is  a quick-anddirty  way  of  being  less 
pessimistic  than  the  Chebyshev  limit  and  the  s-normal  distribution  tail  area.  In  order  to  make  it  easy  to  work  with,  the 
REG  is  calculated  from  the  s-normal  tables,  as  follows.  The  number  of  standard  deviations,  k,  is  calculated;  then  the 
s-normal  tables  are  entered  with  0.8k  instead  of  k in  a straightforward  way  in  either  a 1 -sided  or  2-sided  calculation  as 
shown  in  the  tables  above. 

There  is  nothing  "theoretically  true"  about  either  the  geometric  mean  or  the  Reasonable-Engineering-Guess;  they  are 
just  seat-of-the-pants.  But  the  REG  can  be  very  useful  and  easy  to  use.  1 1 helps  an  engineer  be  more  realistic  about  the  tail 
areas  of  distributions  than  either  the  s-normal  o r Chebyshev  calculation  is  likely  to  be. 

**  This  column  gives  the  ratio  of  the  "geometric  mean  of  the  Chebyshev  limit  and  the  s-normal  tail  area”  to  the 
Reasonable-Engineering-Guess. 
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Example  Problem  No.  15 


Given : 

(1)  Rectangular  steel  plate,  type  AISI  4340,  heat-treated  to  a nominal  (me^rt)  yield  strength 
of  F = 90  X 103  psi,  yF  = 20% 

(2)  Plate  size  (see  Fig.  9-4):  width  a = 30  in.  nominal  (mean),  ya  = 5%,length  ft  = 10  ft 
nominal  (mean),  y b = 2%,  thickness  h to  be  calculated,  yh  = 0.4% 

(3)  Loading,  uniform  applied  load  P = (80  ± 20)  lb/ft2  (0.556  psi). 

(4)  Plate  is  supported  simply  (no  bending),  along  each  end,  but  not  the  sides. 

(5)  The  plate  ought  not  to  yield  in  service  near  room  temperature. 

(6)  Characteristics  in  (l)-(4)  are  s-independent. 

Find: 

(1)  Plate  thickness  (nominal)  for  a PSM  = 4 

(2)  Plate  thickness  by  conventional  calculations 

(3)  The  failure  probability  corresponding  to  PSM  = 4. 

Procedure  Example 

(1)  State  the  geometrical  characteristics  of 
the  plate. 


(2)  State  the  strength.  State  the  load  (as- 
sume worst-case  for  a). 


(3)  Check  Ref.  2 pp.  372,  404  for  the  for- 
mulas for  maximum  stress.  Adapt  to  this 
problem,  f does  not  depend  on  a. 

(4)  Calculate  partial  derivatives  of  In  f with 
respect  to  In  P,  In  b,  In  h in  Eq.  9-40. 
Evaluate  at  the  mean  values. 

(5)  Calculate  yf  by  Eq.  9-35.  It  is  obvious, 
here,  that  the  variation  in  load  is  the 
only  important  variation. 


(6)  Use  Eq.  9-30,  with  a f = nf  X yr 

(7)  Solve  by  trial  and  error  for  iiF  (the  mean 
of  F)  (or  other  convenient  method). 


!Xa  = 30  in.,  ya  = 5%  1 

V b = 10ft  = 120  in.,  yb  = 2%) 
% “ ?,  » 0.4%  } 

(9-39) 

liF  = 90  X 103  psi,  yF  = 20% 
liF  = 80  lb/ft2  = 0.556  psi, 

v - m - 25% 

f _ 3 Pb2 
1 Ah2 

In  f = ln(3/4)  + InP  + 21nh  — 21nh 

(9-40) 

c'p  =l,c  i =Zc'h=-  2 

(9-41) 

yj  = (1  X 25%)2  + (2  X 2%)2 

+ (-  2X  0.4%) 

(9-42) 

yf  = 0.253 

^ = 90  X 103  psi  - !if 

[(20%  X 90  X 103  psi)2  + (0.253^)2]* 

(9-43) 

ixf  = 16.2  X 103  psi 


(9-44) 
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(8)  Find  (the  mean  of  h)  from  Eq.  9-40, 
by  substituting  mean  values.  Nominal 
plate  thickness  is  0.61  in. 


16.2  X 103  psi  = 

3 X 0.556psi  X (120  in.)2 
4b2  ” 


(9-45) 


= 0.61  in. 


(9)  Just  for  fun,  go  back  to  Eq.  9-43  and 
evaluate  oF  and  of.  Thus  the  major  con- 
tributor to  o F f is  a F . 


oF  = 20%  X 90  X 103psi 
= 18  X 103psi 
a,  = 0.253  X 16.2  X 103psi 
= 4.1  X 103  psi 


(9-46) 


(10)  Make  the  conventional  calculation.  Use  a 
safety  factor  of  1.5  on  the  yield  stress 
and  the  maximum  load.  Use  nominal 
plate  size.  Use  Eq.  9-40. 


(11)  Find  the  failure  probability  correspond- 
ing to  PSM  = 4.  Use  Table  9-1  with  k = 
4.0;  find  the  1 -sided  probabilities. 


90  X 103psi  _ 

1.5 

3 X (^PSi)  X (12°  in  )2  ^ 4?) 
4 

Chebyshev 

s-NorroaL. 

Reasonable-Engineering 

guess 


5.9%  ) 

0.0032%  I 

1 0-48) 

0.069%  f 


Look  back  at  the  results.  The  PSM  = 4 approach  produced  a ridiculously  low  value  of  yield 
stress  to  use.  It  turns  out  to  be  a safety  factor  of  about  5.  Not  many  designs  can  afford  that 
luxury.  Some  test-programs  on  receiving  inspection  and  some  better  heat-treat  control  in  manu- 
facture are  in  order,  to  reduce  the  variation  in  yield  strength.  The  benefit  of  this  calculation  is 
not  the  0.61  in.  thickness  calculated  for  the  plate,  but  the  increased'understandlng  of  the  failure 
causes  and  where  they  ought  to  be  reduced- 
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POINT  OF 

MAXIMUM 

MOMENT 


r-  h 


UNIFORM 
LOAD  = P 


FI  G URE  9-4.  Simply  Supported  Rectangular  Plate 
Subject  to  Uniform  Load  P 


MIL-R-11/4E  (Ref.  9).  Although  the  specific 
equations  and  constants  may  be  different  for 
other  components,  the  general  approach  is 
applicable.  The  discussion  is  adapted  from  the 
RADC  Reliability  Notebook:,.  Volume  II  (Ref. 
8).  (Ref.  8 has  been  replaced  by  Ref.  13,  but 
the  procedure  is  similar.) 

The  fixed,  composition  resistor,  RC22, 
consists  of  a mixture  of  finely  divided  carbon 
and  binder,  either  in  the  form  of  a slug  or  a 
heavy  coating  on  a glass  tube,  Specially 
formed  wire  leads  are  embedded  in  the  resist- 
ance. element.  An  insulating  case,  usually 
phenolic,  is  molded  around  the  resistor  form- 
ing  a one-piece  enclosure  to  support  the  leads 
and  provide  moisture  sealing. 

The  prediction  methods  permit  the  catas- 
trophic failure  rate  and  the  percent  resistance 
degradation  over  time  to  be  computed.  The 
basic  resistor  equation  is: 

=(*„)(*!*  )(I1£)+  0-49) 

where 

A = catastrophic  failure  rate 

XB  = basic  failure  rate  and  is  a function 
of  the  physical  characteristics  of 


TABLE  9 2.  RESISTANCE  FACTOR  riR 
FOR  RC-22  RESISTORS8 


Resistance  Range 
(ohms) 

f,R 

< 100 

1.1 

100  to  100  k 

1.0 

> 0.1  M to  1.0  M 

1.1 

> 1.0  M to  10  M 

1.6 

> 10  M 

2.5 

the  component  and  the  applied 
stress 

IIE  = resistance  factor;  it  is  a constant 
that  depends  on  the  value  of  the 
resistor  (Table  9-2) 

IIEand  5^.  = environmental  factors  (Table  9-3) 

The  basic  failure  rate  \B  is  given  by  the 
equation : 


\B  - A exp 


where 

i VT  = temperature  constant,  °K 
Ns  = stress  constant,  dimensionless 
G = acceleration  (of  degradation)  con- 
stant, dimensionless 

H = acceleration  constant,  dimensionless 
P = operating  power.  W 
PQ  = power  rating,  W 

A = adjustment  factor  for  resistor  type 
and  style,  %/1000  hr 
T = operating  temperature,0 K. 

The  constants  in  Eq.  9-50  have  been 
derived  experimentally.  They  are  listed  in 
Table  9-4.  An  extensive  set  of  curves  has  been 
plotted  for  use  in  computing  \B  as  a function 
of  operating  conditions.  These  curves  were 
computed  using  the  constants  in  Table  9-4. 
The  numbers  in  the  second  column  (“As 
Curve  Figure")  of  Table  9-4  refer  to  the 
specific  set  of  curves  (in  Ref.  8)  to  be  used  for 
a particular  resistor  style.  The  values  of  NT  do 
not  refer  to  actual  temperatures;  they  are 
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TABLE  9-3.  ENVIRONMENT  FACTORS,  fIE,  ZE.  AND  LONGEVITY, 
L,  FOR  MIL-R-1 1 RESISTORS' 


nE  is  dimensionless 
£ is  in  % per  1000 hours 


Environment 

(E) 

Grade 

of 

Reliability 

n,. 

All 

Styles 

sE 

RC-22, 

07,12 

RC-05,20, 

32,42 

£e 

RC-08 

‘Longevity, 

L 

(hr) 

Laboratory 

Upper 

1.0 

0.0001 

0.0002 

0.0005 

50,000 

Lower 

7.5 

0.001 

0.002 

0.001 

5,000 

Satellite, 

Upper 

1.04 

0.0001 

0.0002 

0.0005 

50,000 

Orbit 

Lower 

1.5 

0.001 

0.002 

0.001 

5,000 

Ground, 

Upper 

2.0 

0.0004 

0.0005 

0.001 

5,000 

Fixed 

Lower 

4.0 

0.002 

0.003 

0.003 

1,500 

Ground, 

Upper 

5.0 

0.0008 

0.001 

0.002 

1,500 

Portable 

Lower 

10.0 

0.004 

0.005 

0.006 

500 

Airborne, 

Upper 

4.0 

0.0006 

0.001 

0.00 1 

1,000 

Inhabited 

Lower 

8.0 

0.003 

0.005 

0.003 

500 

Ground, 

Upper 

7.0 

0.001 

0.002 

0.002 

500 

Mobile 

Lower 

14.0 

0.005 

0.008 

0.006 

100 

Airborne, 

Upper 

8.0 

0.001 

0.002 

0.002 

500 

Uninhabited 

Lower 

20.0 

0.005 

0.008 

0.006 

100 

Satellite, 

Upper 

15.0 

0.005 

0.002 

0.002 

50 

Launch 

Lower 

40.0 

0.0 10 

0.008 

0.006 

10 

Missile 

Upper 

20.0 

0.005 

0,003 

0.003 

5 

Lower 

80.0 

0.010 

0.010 

0.010 

1 

• Longevity  is  that  time  period  for  which  the  failure  rate  can  be  considered  to  be 
constant  at  some  given  severity  level. 
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TABLE  9-4.  CONSTANTS  FOR  USE  IN  COMPUTING  Xfl* 


Style 

^B 

Curve 

Figure* 

Model 

Constant  Value 

NT 

NS 

G 

H 

A 

RC-22 

•*2  and  3 

25°  K 

0.28 

1 

n 

195  X 10'11 

RC-07 

RC-12 

4 and  5 

25°K 

0.3t 

i 

i 

3.99  X-4011 

RC-05 

RC-20 

RC-32 

RC-42 

6 and  7 

25°K 

0.42 

i 

i 

1.2  X 10_,° 

RC-08 

8 and  9 

25°  K 

0.625 

1 

i 

3.6  X 10'10 

* These  numbers  are  the  numbers  of  figures  in  Ref.  8. 

**  Curve  Figure  No.  2 in  Ref.  8 is  shown  as  Fig.  9-5  in  this  chapter. 


merely  constants  which  appear  in  the  equa- 
tions. 

The  assumption  that  “the  catastrophic 
failure  rate  for  part  types  is  constant  with 
time”  has  been  replaced  by  the  knowledge 
that  any  specific  failure  rate  can  be  treated  as 
constant  only  for  a certain  longevity  period 
following  reliability  screening.  The  length  of 
the  first  longevity  period  during  which  the 
catastrophic  failure  rate  can  be  considered 
constant  varies  not  only  with  the  part  type, 
but  with  the  stress  of  the  environment  in 
which  the  part  is  applied.  The  concept  of  one 
nominal  failure  rate  for  each  part  type  has 
been  replaced  by  the  more  realistic  concept 
that  there  is  a range  of  quality  grades  available 
for  each  part  type.  The  fact  that  the  quality 
grade  interacts  with  application  and  stress 
parameters  prohibits  the  use  of  a common 
adjustment  constant  between  upper  and  lower 
grade.  The  relationships  among  the  environ- 


mental factors,  grade  of  reliability,  and  lon- 
gevity are  given  in  Table  9-3. 

Example  Problem  No.  16  illustrates  the 
procedure. 

9-6  OTHER  MODELS 

The  models  for  failure  presented  in  this 
chapter  are  the  conceptually  simple  ones. 
Failures  of  real  structural  materials  are  caused 
by  many  competing  and  interacting  failure 
mechanisms.  The  older  general  purpose  alloys 
have  good  resistance  to  many  failure  modes— 
that  is  why  they  were  general  purpose  alloys. 
The  newer  “high-strength”  alloys  are  often 
more  susceptible  to  some  of  the  less  usual  fail- 
ure mechanisms.  Their  behavior  in  the  pre- 
sence of  many  competing  failure  mechanisms 
is  not  well  understood  in  many  cases.  Kefs.  11 
and  1 2 are  good-  treatments  for  the  design 
engineer  on  the  failure  modes  of  metals. 
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Example  Problem  No . 16 


Given  a 1.0-megohm  resistor  (±5  percent),  style  RC22,  operated  at  7.5°C  and  0.4  rated  load 
P/Pa  find  the  catastrophic  failure  rate  A R in  a ground  fixed  environment  and  determine  the 
degradation  of  resistance  A,  and  failure  rate  after  2 years  of  service  ( 1 5, 000 hr). 

Procedure  Example 


(1)  Use  the  curves  based  on  Eq.  9-50  and  Fig. 
9-5  to  determine  XB  for  75°Cand  0.4 
rated  load  (stress  ratio  S = P/Pa  ). 

(2)  Determine  flR  from  Table  9-2- 


(3)  Determine  II E and  CE  for  ground,  fixed, 
service  from  Table  9-3. 


B = 0.00009  percent/1000  hr 

(9-51) 

[R  = 1.1  for  a 1.0-megohm  resistor 

(9-52) 

\E  (upper  grade)  = \ 

I£  (lower  grade)  = 4.0  ) 

(9-53) 

(upper  grade)  = 0.0004  percent/1000  hr' 
S£  (lower  grade)  = 0.002  percent/1000  hr 

(9-54) 


(4)  Compute  XR  by  Eq.  9-49. 


(5)  Use  Table  9-3  to  determine  longevity 
periods  L corresponding  to  upper  and 
lower  grade  reliabilities  for  ground,  fixed, 
service. 

(6)  Compute  the  ratio  of  service  time  to 
longevity  period  for  upper  grade  r1  and 
lower  grade  r2  reliabilities: 


XR  (upper  grade)  = 0.00009  X 1.1  X 2.0 

+ 0.0004 

= 0.0006  percent/1000  hr 
XR  (lower  grade)  = 0.00009  X 1.1  X 4.0 

+ 0.002 

= 0.0024  percent/1000  hr 

(9-55) 


L (upper  grade)  = 5,000  hr 
L (lower  grade)  = 1,500  hr 


r _ service  time 

1 upper  grade  longevity 

r service  time 

2 lower  grade  longevity 


r = ISO-00  = 3 
(9-56)  1 -57000 

_ 15,000  = 10 
2 1,500 


(9-57) 


(7)  From  Fig.  9-6  determine  longevity  factor 

n, 


■l  ■ 


nL  =1.5  for  r,  = 3 
nL  = 3.6  for  r2  = 10 


(9-58) 
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(8)  Compute  the  catastrophic  failure  rate 
\ L at  the  end  c£  15,000-hr  service  by: 

^R  L " (9-59) 


(9)  Compute  the  approximate  resistor  body 
operating  temperature  TB  by : 


Tb  = 


T + 


(. 


0.5"C 


■percent-rated-load J 
X (percent-rated-load) 

where 

T = operating  temperature,  0 C 
0.5"  C/(percent-rated-load 
= heat  dissipation  factor 


(9-61) 


\RL  (upper  grade)  = (0.0006  percent  per 

1000  hr)  X (1.5) 

= 0.0009  jaercent  per 
1000  hr 

X L (lower  grade)  = (0.0024  percent  per 
1000  hr)  X (3.6) 

= 0.00864  percent  per 
1 000  hr 

(9-60) 


T = 75  + 


G 


0,5"  C ) 
^percent-rated-load  ) 

X (40  percent-rated-load) 
= 75  + 20  = 95°C 


(9-62) 


(10)  Determine  the  percent  decreasein  resist-  ^ = 2,5  percent  decrease  (9-63) 

ance  AR  at  15,000  hr,  for  TB  = 95°  C, 
from  Fig.  9-7. 
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STRESS  RATIO, S 


P OPERATING  POWER 
RATED  POWER 


FIGURE  9-5.  Determination  of  Failure  Rate  XB 
as  Related  to  Stress  Ratio  S for 
MIL-R-11/4E  Resistors,  RC-22' 


12  S 10  20  50  100 


MULTIPLES  OP  LONGEVITY 


FIGURE  9-6.  Determination  of  Longevity  Factor 
nL  for  MIL-R-I I Resistors,  All  Styles' 


BODY  TEMPERATURE  Te.“c 


FIGURE  9-7 ■ Determination  of  Resistor  Longevity 
as  Related  to  Body  Temperature,  for  MIL  R-J 1 Re- 
sistors, All  Styles' 
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CHAPTER  10  PARAMETER  VARIATION  ANALYSIS 


10-0  LIST  OF  SYMBOLS 


n 

- 

capacitance 

Cdf 

- 

Cumulative  distribution 
function 

cov 

= 

Covariance  of 

f 

= 

frequency 

f, 

= 

fraction,  in  cell  / 

h 

— 

number  of  standard  devia- 
tions 

L 

= 

inductance 

N 

= 

number  of  cells,  par.  10-3 

n 

= 

number  of  units  or  charact- 
eristics 

o 

= 

subscript,  implies  nominal 
value,  see  Eq.  10-11 

P 

= 

random  variable,  character- 
istic of  a part 

P 

= 

mean  of  P,  sometimes  used 
with  subscripts 

pdf 

= 

probability  density  function 

Pi 

characteristic  j 

p 

'MAX 

= 

tolerance  limits  for  P 

PSM 

= 

probabilistic  safety  margin 

R 

= 

Resistance,  par.  10-3 

R 

= 

mean  Resistance,  par.  10-3 

*cl 

= 

Resistance  at  center  of  cell 
i,  par.  10-3 

REG 

— 

Reasonabl  e-Engineering- 
Guess 

Su'S<i 

— 

sensitivity  coefficients,  see 

Eqs.  10-12,10-13 

Tf 

= 

tolerance  limit 

Var 

— 

Variance  of 

v, 

= 

performance  characteristic  / 

y 

= 

a function 

r 

y , 

- 

coefficient  of  variation  of 
Vi,  see  Eq.  10-25 

y, 

coefficient  of  variation  of 
Pj,  seeEq.  10-25 

M 

- 

frequency  change 

m ax 

- 

maximum  A, 

a 

= 

standard  deviation  (often 
used  with  a subscript) 

i 

O; 

z 

standard  deviation  of  Vi 

10-1  INTRODUCTION 

Parameter  variation  analysis,  sometimes 
referred  to  as  variability  analysis,  consists  of  a 


useful  set  of  tools  for  designing  reliable  sys- 
tems. Through  the  nse  of  these  tools,  the 
effects  of  variations  of  individual  design 
parameters  on  system  performance  and  reli- 
ability can  be  determined.  The  techniques 
need  not  be  statistical.  Ref.  18  is  a good  dis- 
cussion of  parameter  variation  analysis;  it  is 
written  for  practical  use  by  engineers. 

The  worst-case  method  of  variability 
analysis  is  a nonstatistical  approach  (Ref.  18) 
that  can  be  used  to  determine  whether  it  is 
possible,  with  given  parameter  tolerance 
limits,  for  the  system  performance  character- 
istics to  fall  outside  specifications.  The  answer 
is  obtained  by  using  system  models  in  which 
parameters  are  set  at  either  their  upper  or 
lower  tolerance  limits.  Parameter  values  are 
chosen  to  cause  each  performance  character- 
istic to  assume  first  its  maximum  and  then  its 
minimum  expected  value.  If  these  perform- 
ance-characteristic values  fell  within  specifica- 
tions, the  designer  can  be  sure  that  the  system 
has  high  drift  reliability.  If  specifications  are 
exceeded,  drift-type  failures  are  possible,  but 
the  probability  of  their  occurrence  remains 
unknown. 

Statistics  is  combined  with  system  anal- 
ysis techniques  in  the  moment  method  to  esti- 
mate the  probability  that  performance  vfll 
remain  within  specified  limits  (Ref.  18).  The 
method  applies  the  propagation-of-variance 
formula  to  the  first  two  moments  of  compon- 
ent-part frequency  distributions  to  obtain  the 
moments  cf  performance-characteristic  fre- 
quency distributions.  On  the  basis  of  this 
information,  the  probability  that  specific 
system  parameters  drift  out  of  their  accept- 
able range  or  drift  reliability  can  be  com- 
puted. 

In  the  Monte  Carlo  method  a large  num- 
ber of  alternate  replicas  of  a system  are  simu- 
lated by  mathematical  models  (Ref.  18). 
Component  values  are  selected  randomly,  and 
the  performance  of  each  replica  is  determined 
for  its  particular  set  of  components.  Theper- 
fonnance  cf  the  replicas  are  compared  with 
specification  limits  to  yield  an  accurate  esti- 
mate of  system  reliability. 
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Each  of  these  methods  and  the  basic 
mathematical  theory  of  parameter  variation 
analysis  are  discussed  in  the  paragraphs  that 
follow. 

The  fundamental  approach  in  each  meth- 
od involves  the  systematic  manipulation  of  a 
suitably  arranged  system  model  to  give  the 
desired  information.  All  depend  on  the  speed 
and  accuracy  afforded  by  the  modem  digital 
computer  to  manipulate  the  model  and  to 
process  the  data  resulting  from  this  manipula- 
tion. 

The  nonstatistical,  worst-case  approach  is 
designed  to  give  basic  information  concerning 
the  sensitivity  of  a configuration  to  variability 
in  the  parameters  of  its  component  parts.  This 
infomation  is  useful  to  the  designer  in  select- 
ing economical  but  adequately  stable  com- 
ponents for  the  circuit  and  in  modifying  the 
configuration  to  reduce  the  critical  effects  of 
certain  parameters.  On  the  other  hand,  the 
moment  and  Monte  Carlo  methods,  which  are 
statistical,  use  actual  parameter-variability 
data  to  simulate  real-life  situations  and  pre- 
dict the  probability  that  performance  is  inside 
tolerance  specifications.  The  moment  method 
prediction  of  performance  variability  is  usu- 
ally less  accurate  than  the  Monte  Carlo  meth- 
od, but  still  adequate  for  most  purposes.  The 
moment  method  provides  information  that  is 
extremely  useful  to  the  designer  in  pinpoint- 
ing sensitive  areas  and  reducing  tiiis  sensitivity 
to  parameter  variability, 

In  addition  to  providing  data  on  drift- 
type  failures,  the  techniques  are  all  capable  of 
giving  “stress  level”  information  of  the  type 
needed  for  estimating  catastrophic-failure 
rates.  They  are  useful,  powerful  tools  for  pre- 
dicting overall  reliability. 

10-2  DESCRIPTIONSOF VARIABILITY 

The  performance  of  a system  depends  on 
the  parameters  of  its  component  parts  and  on 
the  particular  set  of  values  assigned  to  those 
parameters.  Since  these  parameter  values  vary 
because  of  imperfect  parts  and  environmental 
effects,  system  perfonnance  variability  is  in- 
evitable. This  concept  is  illustrated  in  Fig. 
10-1,  where  a performance  characteristic  V of 
a system  is  plotted  as  a function  of  parameter 


P.  V might  represent  the  voltage  or  pressure  at 
some  point  in  the  system,  and  P might  repre- 
sent the  resistance  of  a resistor  or  the  dia- 
meter of  a nozzle. 

Data  for  a plot  of  this  type  can  be  ob- 
tained by  holding  all  parameters  and  environ- 
mental conditions,  except  P,  constant  at 
nominal  values  while  P is  varied  over  a range 
above  and  below  its  nominal^alue.  The  nom- 
inal value  of  P falls  at  the  point  on  the  curve 
V = f(P)  at  which  V = Vn  n m the  design  cent- 
er. This  curve  describes  the  relationshp  be- 
tween V and  P.  When  actual  component,  parts 
are  obtained  for  the  system,  the  values  of  P 
are  found  to  he,  not  exactly  at  P,  but  in  the 
range  indicated  in  the  lower  frequency  dis- 
tribution. The  effect  on  V of  this  variability 
in  P can  be  determined  by  projecting  the  P 
distribution  up  to  the  curve  V = f(P)  and  over 
to  the  V axis.  If  the  curve  is  essentially  linear, 
the  distribution  of  V will  have  basically  the 
same  shape  as  the  distribution  of  P.  Similarly, 
if  the  curve  is  highly  nonlinear  in  the  range  of 
interest,  the  distribution  of  V will  be  a dis- 
torted version  of  that  of  P. 

This  concept  of  performance  variability  is 
understood  readily  on  a parameter-by- 
parameter basis,  and  it  can  be  handledeasily, 
in  this  manner,  by  the  designer.  What  really  is 
needed,  however,  is  a means  of  handling 
real-life  situations  such  as  that  shown  in  Fig. 
10-2,  where  performance  variability  is  influ- 
enced by  several  parameters  simultaneously. 
Comparison  of  the  functional  relationships 
shows  a positive  correspondence  between  V, 
P ! , and  P3 , and  a negative  correspondence 
between  V and  P2 . V depends  highly  on  Px 
and  P2 , but  only  slightly  on  P3 . The  net 
variability  of  the  performance  characteristic  V 
is  influenced  by  all  three  parameters,  and  the 
contribution  of  each  is  a function  of  its 
importance  in  determining  the  value  of  V,  as 
well  as  its  own  Variability. 

All  of  the  probability  density  functions 
(referred  to  as  frequency  distributions  in  Fig. 
10-2)  have  an  area  of  unity,  regardless  of 
shape.  This  means,  of  course,  that  those  with 
a narrow  base  (low  variability)  have  relatively 
greater  height  (high  relative  frequency).  The 
3-variable  pdf  of  performance  characteristic  V 
has  a broader  base  than  any  of  the  1 -variable 
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FIGURE  10  2.  Performance  Variability  of  a System  as  a Function  of 
the  Variability  of  Three  Parameters’ 


distributions  of  V,  as  might  be  expected. 
None  of  these  individual  pdf’s  indicates  a 
serious  degree  cf  shift  in  V,  but  their  com- 
bined net  effect  is  a pdf  having  tails  slightly 
outside  the  upper  and  lower  specification 
limits.  The  portion  of  this  distribution  that 
falls  outside  cf  the  specification  liniis  repre- 
sents drift  failure. 

The  term  “tail”  is  used  quite  often  for  a 
probability  distribution;  it  refers  to  the  non- 
central portions  cf  the  pdf — they  are  usually 
long  and  narrow  like  a tail.  Most  pdfs  are 
drawn  with  smooth  tails,  but  there  is  no  law 
cf  nature  that  says  they  must  be  smooth. 
Rarely,  if  ever,  are  enough  data  available  to 
describe  the  tails  cf  a distribution,  say  in  the 
1%  region  or  less.  It  is  worthwhile  estimating 
the  fraction  of  the  distribution  which  lies  out- 
side the  region  where  the  distribution  is  de- 
scribed by  the  tractable  formula.  This  exter- 


nal region  ought  to  be  described  only  by  the 
fraction  estimated  to  be  in  it;  one  may  wish 
to  have  two  external  regions— one  above  and 
one  below  the  internal  (main)  region  and  to 
estimate  separately  the  fraction  in  each.  The 
external  region  is  not  used  to  estimate  the 
parameters  of  the  distribution  for  the  internal 
region. 

If  an  analysis  requires  a further  assump- 
tion about  the  shape  of  the  distribution  in  the 
external  region,  then  a pessimistic  assumption 
ought  to  be  made,  e.g.,  the  entire  fraction  lies 
2 standard  deviations  beyond  the  boundary  of 
the  internal  region.  If  you  can't  afford  the 
pessimistic  assumption  in  your  analysis,  then 
you  need  more  data  about  the  external 
region.  A real  pessimist  would  assume  that  the 
fraction  estimated  to  be  in  the  external  region 
is  completely  defective. 
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FIGURE  10-3.  Frequency  Histogram  and  Cumulative 
Polygon  for  a Typical  Frequency 
Distribution’ 


10-3  SOURCES  OF  VARIABILITY 

In  any  sample  group  of  similar  compon- 
ents that  have  passed  successfully  through  the 
production  and  inspection  process  (for  exam- 
ple, 500,  10%,  1000-ohm  resistors),  many 

units  will  have  nearly  nominal  resistance, 
some  will  have  resistance  values  near  the  toler- 
ance limits,  and  a few  might  have  values  out- 
side of  the  tolerance  limits.  The  distribution 
of  resistance  values  is  important  because  it 
can  affect  circuit  performance  variability. 

The  frequency  histogram  and  the  cumu- 
lative polygon  provide  a method  of  visualizing 
the  distribution  of  resistance  values.  The 
histogram  is  formed  by  dividing  the  tolerance 
range  (e.g.,  900  to  llOOohms)  into  a number 
of  cells.  In  Fig.  10-3,  20-ohm  cells  are  used. 
The  column  height  for  each  cell  is  determined 
by  the  number  of  resistors  whose  values  fall 
within  the  cell;  it  is  an  approximation  to  the 
pdf.  The  cumulative  polygon  is  formed  by 
cumulatively  adding  the  number  of  resistors 
in  each  cell;  it  is  an  approximation  to  the  Cdf. 
Relative  frequency  of  occurrence  is  the  fre- 
quency of  occurrence  divided  by  the  total 
number  of  observations  (500 in  this  case). 

A smooth  frequency  distribution  (Fig. 
10-4)  can  be  obtained  by  fitting  a curve  to  the 
histogram.  The  discussion  that  follows  pre- 
sumes that  the  sample  was  “infinitely”  large; 
so  that  the  smooth  curve  really  does  accur- 


FIGURE ID-4.  Moments  of  a Distribution’ 


ately  represent  the  whole  population.  The 
first  moment  of  the  distribution  is  its  mean 
value  P,  and  is  taken  from  the  origin: 


P X pdf{P}dP 


(10-1) 


The  iirst  moment  corresponds  to  the  center 
of  gravity  of  a plane  area.  The  sum  of  first 
moments  about  the  mean  is  zero,  since  posi- 
tive and  negative  moments  balance: 


P)  X pdf  (P)  dP 


(10-2) 


The  second  central  moment,  i.e.,  (taken 
about  the  mean)  is  called  the  variance  Op  : 


ri-f 


(P  _ p) 2 x pdf  {PJdP 


(10-3) 


The  variance  corresponds  directly  to  the 
moment  of  inertia  c£  a plane  area.  The  vari- 
ance and  its  square  root,  the  standard  devia- 
tion op,  are  both  used  as  measures  of  variabil- 
ity. Higher  moments  of  a distribution  are 
sometimes  useful  in  defining  skewness,  peak- 
edness, etc.  If  the  distribution  is  s-normal  (or 
any  other  that  has  no  more  than  2 param- 
eters), only  the  first  two  moments  are  needed 
to  determine  its  parameters. 
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First  and  second  moments  of  the  sample 
can  be  calculated  directly  from  the  histogram 
if  it  is  assumed  that  within  each  cell  all  com- 
ponent values  occur  at  the  midpoint  of  the 
cell  or  if  the  usual  correction  for  grouping  is 
used. 

Example  Problem  No.  17  illustrates  the 
procedure. 

When  a single  component  has  several  im- 
portant parameters,  there  may  be  relation- 
ships among  the  parameter  distributions.  For 
example,  for  a semiconductor  diode  with  a 
given  offset  voltage  V D and  dynamic  resist- 
ance R„  some  internal  physical  relationship 
may  define  a value  or  range  of  values  for  RD 
with  respect  to  VD  . Another  example  can  be 
given  for  a solid  fuel  rocket  motor.  The  static 
pressure  in  the  chamber  is  a function  of  fuel 
grain  density,  burning  index,  nozzle  area,  and 
bum  surface  area  of  the  grain.  Varying  these 
parameters  causes  variations  in  chamber  pres- 
sure, which  can  lead  to  unacceptable  perform- 
ance. Thus  variations  in  the  design  parameters 
of  a particular  system  can  depend  upon  each 
other.  The  extent  of  direction  of  the  linear 
component  of  the  dependence,  called  the 
linear  correlation,  can  be  computed  for  the 
sample  from: 

it.  (p.i ~ 

„ = HO-9) 


where 

P = linear-correlation  coefficient 
n = number  of  individual  units  tested 
Po  J>PbJ  = measurements  of  parameters  Pa 
andPb  on  unitj 

°a'°b  = standard  deviations  for  param- 
eters Ra  andPt 

The  linear-correlation  coefficient  p lies 
between  +1  and  —1.  If  the  linear-correlation 
coefficient  is  negative,  increases  in  one  param- 
eter correspond  to  decreases  in  the  other.  If 
the  linear-correlation  coefficient  is  positive, 
increases  in  one  parameter  correspond  to  in- 
creases in  the  other.  The  statistical  literature 
usually  uses  the  term  correlation  rather  than 
linear-correlation  for  this  concept.  But  since 
an  engineer  tends  to  think  of  correlation  and 
dependence  as  synonyms,  the  more  complete 


description  linear-correlation  is  used  in  this 
handbook. 

104  EFFECTS  OF  VARIABILITY 

Variability  models  can  be  made  up  of 
physical  components  (Ref.  18),  but  mathe- 
matical models  are  used  whenever  possible 
because  they  are  easier  to  manipulate.  The 
greatest  obstacle  to  the  use  of  mathematical 
models  in  the  past  was  difficulty  in  calculat- 
ing numerical  values  for  performance  charact- 
eristics. Modem  digital  and  analog  computers 
have  solved  this  calculative  problem,  but  have 
not  eliminated  the  need  for  simplifying 
assumptions.  For  example,  linear  equivalents 
are  usually  used  to  represent  nonlinear  de- 
vices, such  as  transistors  and  diodes.  In  some 
systems,  however,  the  inaccuracies  introduced 
by  the  assumption  of  linearity  may  be  intoler- 
able. 

In  general,  the  model  must  be  accurate 
enough  to  simulate  the  behavior  of  the  system 
over  its  entire  range  of  operation.  Further- 
more, it  must  express  the  relationships 
between  each  performance  characteristic  and 
all  parameters.  The  range  of  accurate  simula- 
tion can  be  much  smaller  than  for  safety  anal- 
yses where  unusual,  undesired  operation  can 
cause  unsafe  conditions. 

If  the  operating  region  of  the  system 
components  changes,  it  may  be  necessary  to 
modify  the  mathematical  model  during  the 
analysis.  A new  operating  region  for  a com- 
ponent such  as  a transistor  usually  requires  a 
new  equivalent  circuit,  and  each  of  these 
equivalent  circuits  must  be  tested  for  accurate 
simulation.  The  required  tests  and  necessary 
changes  can  be  performed  in  a routine  manner 
by  the  computer  program. 

The  variability  analysis  methods  are 
adaptable  to  many  diverse  types  of  systems: 
electrical  circuits,  mechanical  systems,  and, 
indeed,  any  system  for  which  design  equa- 
tions can  be  developed. 

Either  the  loop-current  approach  car  the 
node  potential  approach  can  be  used  to  form 
the  equation  for  an  electrical  or  mechanical 
equivalent  circuit,  but  experience  has  shown 
that  the  node  potential  approach  is  often  pre- 
ferable for  a variability  a n a I ~ @This  direct 
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Example  Problem  No.  17 


Determine  the  mean  and  standard  deviation  of  the  resistance  values  for  the  sample  described 
in  Fig.  10-3.  — 


Procedure 


Example 


(1)  Determine  the  midpoint  resistance  Rci  of 
each  cell  in  the  frequency  histogram. 

(2)  Determine  the  relative  frequency  of  oc- 
currence fj  of  resistance  values  within 
each  cell. 

(3)  Compute  the  mean  resistance  R of  the 
sample  by: 

N 

R =T.fiRci  (10-4) 

i=  1 

where  N = number  of  cells. 


(4)  Compute  the  standard  deviation  oR  of 
the  sample  resistance  by: 

°l  = Zfi  (Rct  - R)2  (10-6) 

i~  1 


The  cell  midpoints  are  at  910,930,950,970, 
990 , 1010 , 1030 , 1050 , 1070 , 1090bms. 


The  relative  frequency  of  occurrence  known 

to  be  axe  0.02,  0.06^  0.10,  0.16, 0.18,  0.14, 
0.12,0.10,  0.08,  0.04. 

R = 0.02  X 910  + 0.06  X 930  + 0.1 
X 950  + 0.16  X 970  + 0.18 
X 990  + 0.14  X 1010  + 0.12 
X 1030  + 0.1  X 1050  + 0.08 
X 1070  + 0.04  X 1090 
= 1002  ohms  (10-5) 


o ^ = 0.02(910  - 1002)2 

+ 0.06(930  - 1002)2 
+ 0.1(950  - 1002)2 
+ 0.16(970  - 1002)2 
+ 0.18(990  - 1002)2 

+ 0.14(1010  - 1002)2 
+ 0.12(1030  - 1002)2 
+ 0.1(1050  - 1002)2 
+ 0.08(1070  - 1002)2 
+ 0.04(1090  - 1002)2 
= 1954  (10-7) 


oR  = 44.2  ohms  (10-8) 
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procedure  yields  a complete,  nonredundant 
set  of  circuit  equations.  The  node  potentials 
calculated  by  solving  the  circuit  equations  can 
be  used  directly  to  determine  "stress"  levels 
and  performance  characteristics,  such  as 
terminal-to-terminal  voltages,  current  flows, 
power  dissipations,  gains,  velocities,  pressures , 
forces,  and  torques. 

The  first  step  in  analyzing  a node  poten- 
tial model  is  to  identify  all  independent  nodes 
(junctions)  where  three  or  more  circuit 
branches  meet.  Usually,  the  ground  or  station- 
ary node  is  selected  as  a reference;  then  the 
current  in  each  branch  is  expressed  in  terms 
of  the  node  potentials  and  the  branch  imped- 
ance. Kirchhoffs  law  (sum  of  currents  into  a 
node  is  zero)  is  then  applied  at  each  node. 
The  resulting  simultaneous  equations  are  set 
up  in  matrix  form  and  solved  by  a computer 
using  a matrix  inversion  program. 

The  sound  practice  c£  verifying  the 
mathematical  model  ought  to  be  followed  by 
comparing  the  computed  results  with  meas- 
urements taken  from  a breadboard  model  of 
the  circuit,  or  from  a working  model  of  the 
mechanical  system.  It  Is  essential  that  all 
parameter  values  be  the  same  in  both  the 
mathematical  and  physical  models.  The  per- 
formance a£  the  physical  model  ought  closely 
to  approach  the  original  design  performance 
goals.  If  these  goals  are  not  met,  the  basic 
design  must  be  modified. 

If  the  construction  of  a mathematical 
model  of  the  system  is  not  feasible,  a physical 
model  sometimes  can  be  used  fbc  the  vari- 
ability analysis.  The  physical  model  is  similar 
to  a Conventional  model,  except  that  it  must 
provide  means  for  conveniently  varying 
parameters. 

When  a suitable  model  has  been  dev- 
eloped, variability  data  for  all  component 
parts  ana  needed  so  that  they  can  be  applied 
to  the  model  to  observe  and  interpret  its 
response.  Three  variability  analysis  techniques 
am  discussed  in  the  paragraphs  that  follow. 

10-5  WORST-CASE  METHOD 

The  worst-case  method  of  variability 
analysis  is  a nonstatistical  approach  (Refs. 
1,18)  that  can  be  used  to  determine  whether 


it  is  possible,  with  given  parameter  tolerance 
limits,  for  the  system  performance  character- 
istics to  fall  outside  specifications  (Fig.  10-5). 
The  answer  is  obtained  by  using  system 
models  in  which  parameters  are  set  at  either 
their  upper  or  lower  tolerance  limits.  Param- 
eter values  are  chosen  to  cause  each  perform- 
ance characteristic  to  assume  first  its  maxi- 
mum and  then  its  minimum  expected  value.  If 
the  performsnce  characteristic  values  fall 
within  specifications,  the  designer  can  be  con- 
fident that  the  system  has  high  drift-reli- 
ability. If  specifications  are  exceeded,  drift 
type  failures  are  possible,  but  the  probability 
of  their  occurrence  remains  unknown. 


FIGURE  10-5.  Worst-case  Method' 


Worst-case  analysis  is  based  on  expressing 
the  model  performance  parameters  F(  as  func- 
tions c£  design  parameters  Px  , P2,  ■■■,  Pn  and 
expanding  these  functions  in  Taylor  series 
about  the  nominal  values.  The  design  param- 
eters include  all  pertinent  part  characteristics , 
inputs,  loads,  and  environmental  factors.  Let 
the  model  for  a performance  parameter  V,  be: 

vi=y(Pl  ,p2,p3,  ...,pn)  (io-io) 

The  linear  expression  which  relates 
changes  in  Vj.  to  changes  in  the  design  param- 
eters Pi  ,P„  Pn  is: 
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AV,  = E 
>=/ 


where 


(10-11) 


3 VJdPj  - partial  derivatives  of  the  per- 
formance parameter  Vt  with  re- 
spect t~  the  design  parameter 
0 = evaluated  at  the  nominal  condi- 
tions, usually  the  mean  values 
£j>  = the  variation  of  design  parameter 

' P}=PJo-P]min  °lPJmax  ~ Pi  o 


A set  of  these  equations  must  be  derived 
to  relate  all  performance  factors  to  all  design 
variables.  The  partial  derivatives  of  the  V, 
with  respect  to  each  dependent  variable  Pj 
must  be  computed.  Several  techniques  for  cal- 
culating these  derivatives  are  given  in  Refs.  2, 
3, 4,  and  5. 

One  of  the  most  important  steps  in  a 
worst-case  analysis  is  to  decide  whether  to  use 
a high  or  low  parameter-tolerance  limit  for 
each  component  part  when  analyzing  a 
specific  performance  characteristic.  If  the 
slope  <±  the  function  that  relates  a parameter 
to  a perfonnance  characteristic  is  known,  the 
selection  of  parameter  limit  is  easy:  when  the 
slope  of  the  parameter  function  is  positive, 
the  upper  tolerance  limit  is  chosen  if  the 
maximum  value  of  the  performance  character- 
istic is  desired.  For  parameter  functions  with 
negative  slopes,  the  lower  tolerance  limit  cor- 
responds to  the  maximum  perfonnance- 
characteristic  value. 

An  important  part  of  worst-case  analysis 
is  to  determine  the  sensitivity  of  system  per- 
formance to  variations  in  input  parameters. 
Although  several  definitions  of  sensitivity  are 
found  in  the  literature  (Refs.  4 and  6,  for 
example),  the  sensitivity  of  a systsn  essent- 
ially is  measured  as  the  effect  of  parameter 
variations  on  the  system  performance.  In 
equation  form,  sensitivity  can  be  expressed 
by: 


where 


Su  = the  sensitivity  of  the  performance 
measure  Vt  to  the  variation  in  the 
system  design  parameter  P} 

An  alternate  form  is  the  normalized  sensitiv- 
ity: 


sil  = 


(PJo\ 

3R,. 

3 In  V, 
* * 

vW 

«>/ 

3 In  Pj 

A VJXi 
A P,fPt 

(10-13) 


which  is  more  frequently  used. 

The  forms  of  the  variation  equation 
which  correspond  to  the  two  sensitivities  are: 


n 

AV,  = E S„  A P, 

>=  i 


(10-14) 


V 

/=  l 


r1 

riO 


(10-15) 


Eq.  10-15  is  more  convenient  when  the  per- 
formance equation  is  a product  of  terms  and 
the  tolerances  are  expressed  in  percent. 

If  a design  fails  the  worst-case  analysis, 
look  at  the  absolute  values  of  the  individual 
terms  in  Eq.  10-14  or  10-15.  The  ones  which 
contribute  the  most  ought  to  be  reduced— 
they  are  the  bottlenecks.  It  does  little  good  to 
reduce  the  small  terms  because  they  have  so 
little  effect  on  the  total  variation.  It  is  not 
unusual  to  have  well  over  half  the  variation 
due  to  one  or  two  parameters.  If  several  per- 
formance parameters  have  too  much  varia- 
tion, the  major  contributors  ought  to  be  listed 
for  each.  If  a few  parameters  are  causing  most 
of  the  difficulty,  attention  can  be  devoted  to 
them.  If  not,  an  extensive  redesign  might  be 
necessary. 

Example  Problem  No.  18  illustrates  the 
procedure. 

10-6  MOMENT  METHOD 


avf 

= 3P~ 


o 


(10-12) 


Statistics  are  combined  with  circuit- 
analysis  techniques  in  the  moment  method  to 
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Example  Problem  No.  18 

A proposed  design  of  a simple,  series-tuned  electronic  circuit  consists  of  a 50  microhenry 
(uH)  ± 10%inductor  and  30  picofarad  (pF)  ± 5%capacitor.  Perform  a worst-case  and  sensitivity 
analysis  on  the  circuit.  Does  the  initial  design  meet  specifications  if  the  maximum  allowable 
frequency  shift  is  ± 200  kHz?  Which  component  is  the  most  likely  candidate  for  tightening 
tolerances  in  order  to  meet  the  frequency  specification?  (Note:  micro  is  10‘5 6  ,pico  is  10n  2 .)  We 
presume  s-independence  between  variations  in  inductance  L and  capacitance  C. 


Procedure 


Example 


(1)  State  the  nominal  values  and  tolerances 
of  the  components.  We  assume  that  the 
specified  tolerances  include  purchase 
tolerance,  reversible  effects  due  to  tem- 
perature and  voltage,  and  drift  during 
manufacture  and  use. 


L0  = 50  /iH 

| al/l0 | = 10% 

C0  = 30  pF 
j AC/C0|  = 5% 


(10-16) 


(2)  State  the  performance  equation.  (There  is 
only  one;  so  we  will  drop  the  i subscript.) 


f 2ti  (LC)W 


(10-17) 


(3)  Since  Eq.  10-17  contains  only  products 
of  the  parameters,  convert  it  to  the  In 
form. 


In  f = -In  2ji  - ^ (10-18) 


(4)  Determine  the  normalized  sensitivities  s}. 


_ din  f 
Sl  aln  L 

< =ainX 


aKTc 


(10-19) 


(5)  White  the  variation  equation  correspond- 

ing to  Eq.  10-15. 


(6)  State  allowed  value  of  frequency  shift. 
Calculate  the  nominal  frequency  from 
Eq.  10-17. 


(A flf0 ) = - *S< A L/L0 ) - V4(A C/C0 ) ( 10-20) 


= 200  kHz 

_ 1 

2n(50  X 10'6H  X 3 0X10'12F) 

- 4.11MHz 


(10-21) 


Calculate  the  allowed  fractLcral  fre- 
quency shift. 


lhf  ,f  ) 2QQ  x lQ3.Hz  Q0/ 

maxllof  =4.11  X 10fiHz  =4.9% 
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(7)  Calculate  actual  maximum  fractional  fre- 
quency shift  from  Eq.  10-20. 


|A/7/0|  =(*4X  10%)  + (Vi  X 5%) 
= 5%  + 2.5% 

= 7.5% 


(10-22) 


(8)  Compare  with  allowed  value  in  Step  (6). 


7.5%  > 4.9% 


(9)  What  to  do?  Obviously  the  inductor  tol- 
erance must  be  reduced  since  it  alone 
causes  greater  than  allowed  deviations. 
However,  it  is  probably  cheaper  to  get  a 
narrower  tolerance  on  the  capacitor.  A 
reasonable  compromise  is  to  alot  2/3  of 
the  variation  to  the  inductor  and  l/3to 
the  capacitor.  Calculate  the  new  maxi- 
mum frequency  shift. 


(AL/L0  )new 

(AC/C0  )new 
W!fo)ncw 


4.9%  X 

6.5% 

4.9%  X 
3.2% 


2h 

lh 

'h_ 

72 


(%  X 6.5%)  + 

4.9% 


(10-23) 
(Vi  X 3.2%) 


As  mentioned  in  Step  (1),  these  tolerances  on  the  component  parameters  include  sources 
other  than  purchase  tolerance.  The  purchase  tolerance  ought  to  be  a standard  one  and  probably 
no  more  than  half  the  allowed  tolerance. 
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estimate  the  probability  that  performance  will 
remain  within  specified  limits  (Refs.  1,  7,  and 
18) . The  basic  procedure  is  much  like  that  in 
par.  10-5  for  the  worst-case  method.  First,  the 
performance  equation  is  linearized,  usually  by 
taking  logarithms  of  both  sides  or  by  a Tay- 
lor's series  expansion  (Ref.  18) . Assume  that 
the  equation  has  been  linearized  and  is  in  the 
form  of  Eq.  10-14  or  10-15 . 

Two  theorems  from  statistical/probabil- 
ity theory  are  used.  For  the  sum  cf  random 
variables  (from  any  distributions), 

(1)  The  mean  of  the  sum  is  the  sum  of 
the  means. 

(2)  The  variance  of  the  mean  is  the  sum 
cf  the  variances  and  covariances. 

So,  in  Eqs.  10-14  and  10-15,  the  nominal 
condition  (indicated  by  the  zero  subscript) 
will  be  taken  as  the  mean  value.  Then  the  first 
theorem  is  automatically  satisfied.  The  second 
theorem  states  that  (for  Eq.  10-14) 

n 

Var{AVi}  = £ VartSyAP, } 

i-  i 

+ 2±  £ Cov{SimAPmS„APj} 

j=l 

= £S5  Var{APy.} 

+ 2£  £ SimS>7Cov{APmAP/) 

7=  1 m«/+! 

= (Oa  =X>5  °? 

i~  l 
n n 

+ ?£  £ 

j- 1 m-)*l 

(10-24) 


where 

Oj  - standard  deviation  of  parameter  P} 
a*  = standard  deviation  of  V t 
Pm)  = linear-correlation  coefficient  of 
parameters  Pm  and  Pj  (pm  i ~ Pjm  ) 

A similar  development  for  Eq.  10-15 results  in 

<7*  )2  = £ y 2j  + £ £ sa  s.m  pJm  y,  ym 

t = 1 j - l m = j+ 1 

(10-25) 

10-12 


where 

jj  = 7j/Pjo  = coefficient  of  variation  of  P, 

7*  = 7 ilVin  = coefficient  of  variation  of  Vi 

Eqs.  10-24  and  10-25  are  similar  in  form 
(exact  in  content)  to  Eqs.  9-34  and  9-35 
where  pJm  = 0 (s-independence  was  assumed, 
it  implies  no  linear-correlation)  which  were 
developed  for  the  probabilistic  safety  margin 
(PSM).  The  standard  deviation  o and  coeffi- 
cient of  variation  y are  measures  of  variability 
or  of  uncertainty.  The  sensitivities  sf.  or  Stj 
are  found  by  differentiation;  the  oj  or  7.  are 
usually  given;  and  the  o*  or  7*  is  to  be 
calculated.  It  is  often  worthwhile  calculating 
each  term  in  Eq.  10-24  or  10-25  to  find  the 
total  effect  of  a parameter  variation  on  the 
performance  variation.  That  way  the  impor- 
tant parameters  can  be  identified  and,  if  need 
be,  analyzed  for  ways  of  reducing  their  im- 
pact. The  impact  is  reduced  by  reducing  the 
sensitivity  or  the  standard  deviation.  The  sen- 
sitivity depends  on  ^sban  design;  the  stand- 
ard deviation  depends  on  part  behavior. 

Fig.  10-6  shows  a flow  chart  for  the 
moment  method-— so  named  because  the  mean 
is  the  first  moment  and  the  variance  (square 
of  standard  deviation)  is  the  second  central 
(about  the  mean)  moment.  A computer  rou- 
tine ought  to  print  out  not  only  the  af/  (or 

Sit  (or  sl7),  but  also  the  product  ouSu  (or 

7ws<;)- 


Figure  10-6.  Moment  Method 
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This  method  for  analytically  estimating 
the  drift  reliability  of  a system  necessitates 
that  five  requirements  be  satisfied: 

(1)  Specification  limits  must  be  supplied 
for  the  performance  characteristic  of  all  sub- 
systems under  consideration.  Performance 
outside  these  limits  constitutes  a subsystem 
failure. 

(2)  A way  must  be  found  to  relate  per- 
formance of  a subsystem  to  the  parameters  of 
its  components.  This  need  is  met  by  deriving  a 
suitable  mathematical  model. 

(3)  The  variability  of  each  parameter 
from  one  component  to  another  and  in  the 
same  component  with  time  and  environment 
must  be  known  or  be  accurately  predictable. 

(4)  A technique  (the  propagation  of  vari- 
ance formula)  must  be  established  to  combine 
this  information  to  produce  an  estimate  of 
overall  variability  incorporating  the  simulta- 
neous effect  of  all  sources  of  variability. 

(5)  Variability  of  performance  character- 
istics must  be  translated  into  an  estimated 
probability  of  failure  as  an  aid  in  predicting 
reliability. 

It  is  not  easy  to  convert  the  standard 
deviation  of  V,  or  the  allowed  limits  on  V(  to 
a probability  of  failure.  As  explained  in  par. 
9-3.2,  especially  Eq.  9-38  and  Table  9-1,  the 
s-normal  distribution  may  give  a too  low 
probability  of  failure,  while  the  Chebyshev 
limit  may  give  too  high  a probability  of 
failure. 

A not  unreasonable  guess  for  the  prob- 
ability of  failure  is  the  geometric  mean  of  the 
s-normal  and  Chebyshev  probabilities.  Since 
that  is  a complicated  parameter  to  calculate, 
the  Reasonable-Engineering-guess  has  been 
defined  as  shown  in  Table  9-1  ;it  is  easy  to 
calculate  and  is  reasonably  near  the  geomet- 
ric-mean. 

In  the  process  of  applying  the  moment 
method,  very  serious  consideration  must  be 
given  to  fulfilling  requirements  2,  3,  and  5 
previously  mentioned.  Requirement  lusually 
is  satisfied  by  establishing  performance  char- 
acteristic limits  as  the  point  where  the  compo- 
nent ceases  to  produce  the  desired  character- 
istic, so  that  the  performance  of  the  associ- 
ated system  becomes  inadequate.  Require- 
ment 4 is  met  by  means  of  the  propagation  of 
variance  formula. 


Development  of  a mathematical  model  of 
a component  necessarily  goes  hand  in  hand 
with  the  desired  perfonnance  characteristics 
on  which  certain  limits  are  placed,  and  with 
the  determination  of  parameter  degradation 
with  time.  It  is  necessary  that  the  mathe- 
matical model  relate  the  internal  parameters 
to  the  performance  characteristics.  Essenti- 
ally, the  mathematical  model  is  the  set  of 
governing  equations  that  describes  both  quan- 
titatively and  qualitatively  the  physical  signifi- 
cance of  all  parameters  in  determining  the 
performance  characteristics.  Development  of 
the  mathematical  model  requires  that  the 
component  or  design  be  completely  analyzed, 
frcm  which  an  analysis  of  each  mode  of  fail- 
ure can  be  determined  and  related  to  the 
influencing  parameters.  Then,  the  governing 
equations  can  be  written.  The  resulting  set  of 
equations  usually  is  programmed  on  an  elec- 
tronic computer,  since  this  greatly  simplifies 
manipulations  of  the  model.  These  manipula- 
tions include  the  calculation  of  the  sensitivi- 
ties (viz.,  partial  derivatives  of  each  perform- 
ance characteristic  with  respect  to  each  con- 
tributing parameter)  and  the  magnitude  of  the 
terms  in  Eq.  10-24  or  10-25.  They  help  to 
indicate  the  relative  importance  of  a parti- 
cular parameter  in  determining  the  variation 
of  the  performance  characteristic. 

Once  the  performance  limits  have  been 
established,  modes  of  failures  determined,  and 
partial  derivatives  calculated,  the  causes  and 
mechanisms  of  timedependent  parameter 
degradation  under  environmental  operating 
conditions  must  be  quantitatively  evaluated. 
This  evaluation  can  be  accomplished  by: 

(1)  Obtaining  reliability  and  failure  data 
from  the  iranufectuBer:  and  the  user 

(2)  Analyzing  data  frcm  real-time  simu- 
lated environmental  operating  tests 

(3)  Extrapolating  data  from  tests  run  for 
a short  time  period 

(4)  Simulated  tests  of  individual  or  mul- 
tiple parameter  configurations 

(5)  Theoretical  analysis 

(6)  Combinations  of  these  methods.  It  is 
essential,  c£  course,  that  theoretical  analyses 
and  simulated  testing  be  related  to  actual 
operating  experience  whenever  possible. 

Data  utilized  in  evaluating  the  propaga- 
tion of  variance  formulainclude: 
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(1) Partial  derivatives  of  each  component 
performance  characteristic  with  respect  to 
each  contributing  parameter 

(2)  Parameter  mean  values 

(3)  Parameter  variances 

(4)  Linear -correlation  coefficients  for 
interdependent  parameters. 

Partial  Derivatives  The  partial  deriva- 
tives, viz.,  sensitivities,  are  quite  useful  since 
they  show  the  sensitivity  of  each  performance 
characteristic  to  variations  in  each  parameter 
affecting  it.  It  is  usually  a good  idea  to  calcu- 
late both  Sy  and  stj  (plain  and  normalized 
sensitivities).  It  is  also  worthwhile  printing  the 
product  SijOj  = SjjOj  to  show  the  total  varia- 
tion in  Vt  due  to  P; . 

Mean  Values  The  mean  values  of  the  per- 
formance characteristics  obtained  from  the 
model  are  used  to  evaluate  the  ability  of  the 
model  to  simulate  the  behavior  of  the  actual 
device.  The  accuracy  of  simulation  can  be 
determined  by  comparing  the  mean  perform- 
ance values  derived  frcin  the  mathematical 
model  with  design  centers  and  with  corre- 
sponding values  obtained  frcm  empirical  tests 
of  the  component  being  analyzed. 

Conventional  wisdom  in  the  USA  has  it 
that  the  tolerance  limits  are  equivalent  to  ±3o 
limits.  If  all  tolerances  are  divided  by  a num- 
ber k to  find  the  standard  deviation  and 
(tolerance/ft)  is  substituted  fora  in  Eq.  10-24 
and  (relative  tolerance//?)  is  substituted  for  y 
in  Eq.  10-25, then  the  factor  of  k2  could  be 
cancelled  frcm  both  sides  of  revised  Eqs. 
10-24  and  10-25  and  those  equations  will  be 
true  when  the  a’s  and  y's  are  interpreted  as 
tolerances  (absolute  and  relative).  When  only 
tolerance  limits  (not  standard  deviations)  are 
known,  this  latter  procedure  is  recommended. 
When  it  finally  comes  time  to  estimate  proba- 
bilities from  performance  variability,  a de- 
cision on  k wQl  have  to  be  made.  But  at  least, 
then,  we  will  not  have  forgotten  how  we 
chose  k,  nor  what  we  meant  by  it. 

Perf  or  malice  Characteristic  Variances 
The  performance  characteristic  variances  are 
indices  c£  the  variability  c£  the  behavior  of 
the  component,  and  form  the  basis  for  evalua- 
ting the  component  design  from  the  point  of 
view  of  reliability.  Standard  deviations  can  be 


used  in  predicting  reliability  by  expressing 
performance  characteristic  tolerance  limits  in 
terms  of  multiples  of  standard,  deviations  and 
by  estimating  the  portion  of  the  total  per- 
fonnance  characteristic  distribution  that  lies 
inside  these  limits  (see  Table  9-1). 

Breakdown  of  Variance  In  the  event  that 
an  excessively  high  value  of  variance  for  a per- 
formance characteristic  indicates  a lower- 
than-desired  reliability,  it  is  essential  to  locate 
the  source(s)  of  excessive  variability.  The 
breakdown  of  variance  facilitates  this  step, 
because  it  tells  what  portion  of  the  total  vari- 
ance is  contributed  by  each  parameter  and, 
thus,  immediately  spotlights  the  major  con- 
tributor(s).  Since  the  contribution  of  each 
parameter  to  the  whole  depends  on  both  its 
partial  derivatives  and  its  variance,  the  de- 
signer quickly  can  determine  whether  reli- 
ability can  be  improved  by  tightening  the 
parameter  tolerance  limits  (i.e.,  attempting  to 
reduce  parameter  variance).  He  can  also 
modify  the  design  to  reduce  sensitivity  (par- 
tial derivative)  of  the  performance  character- 
istic to  that  particular  parameter. 

Accuracy  of  the  results  of  the  moment 
method  analysis  is  subject  to  four  obvious 
limitations: 

(1)  The  mean  value  and  variance  are 
incapable  of  reflecting  by  themselves  such 
characteristics  of  a distribution  as  skewness 
and  peakedness.  Since  these  characteristics  are 
not  a part  of  the  input  to  the  moment-meth- 
od, they  cannot  be  expected  to  appear  in  its 
output. 

(2)  The  variations  in  parameter  value 
and  variance  with  time  and  environmental 
conditions  must  be  known  accurately  to 
produce  an  accurate  reliability  estimate. 

(3)  The  function  that  relates  a perfonn- 
ante  characteristic  to  some  parameter  of  the 
device  is  presented  in  the  moment  method  by 
its  slope  (partial  derivative),  evaluated  at  the 
mean  point  on  the  curve.  If  the  curve  exhibits 
a high  degree  of  curvature  in  the  region  of 
interest,  the  inability  of  the  tangent  to  ade- 
quately represent  the  curve  can  be  a source  of 
error. 

(4)  The  moment  method,  like  any  drift- 
reliability  analysis,  yields  most  useful  infor- 
mation when  it  is  applied  during  a time  inter- 
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val  in  which  drift  failures  are  more  prevalent 
than  catastrophic  failures. 

All  the  admonitions  listed  immediately 
above  in  this  paragraph  are  very  important; 
however,  rarely  if  ever  can  an  engineer  satisfy 
them  all.  Nevertheless,  the  engineer  will  go 
ahead  with  the  analyses.  The  purpose  of  the 
admonitions  then  is  to  make  the  engineer  very 
wary  of  taking  the  analytic  results  as  gospel. 

Example  Problem  No.  19  illustrates  the 
procedure. 

10-7  MONTE  CARLO  METHOD 

In  the  Monte  Carlo  method,  a large  num- 
ber of  replicas  of  a circuit  are  simulated  by 
mathematical  modeling  (Ref.  18). Component 
values  are  randomly  selected  in  accordance 
with  their  probability  of  occurrence,  and  the 
performance  of  each  replica  is  determined  for 
its  particular  set  of  randomly  generated  com- 
ponents. The  performance  of  each  replica  is 
compared  with  specification  limits.  The  ratio 
of  the  number  of  replicas  falling  within  the 
specification  limits  to  the  total  number  of 
replica  trials  is  a measure  of  the  circuit  drift 
reliability.  This  method  can  yield  a more 
accurate  estimate  of  circuit  reliability  than 
any  of  the  other  methods  discussed  in  this 
chapter;  furthermore,  it  can  approximate  the 
actual  distribution.  Fig.  10-7  is  a block  dia- 
gram of  the  Monte  Carlo  method. 


FIGURE  10-7.  The  Monte  Carlo  Method' 


polygon.  For  more  efficient  computation  a 
smooth,  continuous  mathematical  function 
can  be  fitted  to  the  polygon. 


The  Monte  Carlo  method  gives  very  little 
help  in  identifying  and  .correcting  failures. 
Even  though  a complete  list  of  performance 
characteristics  and  parameter  values  is  printed 
out  for  each  failed  replica,  the  offending 
parameters  are  not  spotlighted  and  the  reason 
for  failure  must  be  deduced  from  the  available 
information.  If  the  analysis  is  not  truncated 
because  cf  an  excessive  failure  count,  a speci- 
fied number  of  replicas  are  analyzed  and  the 
results  are  recorded. 

Single-parameter  components  with  oddly 
shaped  frequency  distributions  can  be 
modeled  by  using  a histogram  car  a cumulative 
polygon.  The  cumulative  plot  is  better  suited 
for  random  selection.  For  each  random 
number  between  0 and  1 (corresponding  to  a 
relative  frequency  of  occurrence),  a compo- 
nent value  is  determined  by  the  cumulative 


When  correlations  exist  among  the  vari- 
ous parameters  of  a multiparameter  system,  a 
list  of  measured  sets  of  values  is  prepared. 
Each  set  represents  the  behavior  of  an  individ- 
ual part  and  is  assigned  a serial  number.  The 
serial  numbers  are  then  randomly  selected 
from  the  list.  After  a complete  set  of  param- 
eter values  has  been  inserted  into  the  mathe- 
matical model  (selected  from  the  list),  the 
performance  characteristics  for  that  particular 
replica  are  determined.  If  the  characteristics 
exceed  performance  limits  for  a predeter- 
mined number  cf  replicas,  the  circuit  design  is 
considered  unreliable  and  must  be  modified. 

Drift  reliability  is  computed  as  the  pro- 
portion of  successful  replicas,  The  reliability 
s-conlldence  level  is  the  likelihood  that  the 
computed  reliability  represents  all  possible 
replicas.  Mean  values  and  standard  deviations 
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Example  Problem  No.  19 

Compute  the  drift  reliability  of  the  tuned  circuit  for  which  the  worst-case  analysis  was 
performed  (par.  10-5). 

Procedure  Example 


(1)  State  the  tolerances  in  L and  C.  As  men- 
tioned in  the  text,  interpret  the  y’s  in  Eq.  AL/L0  = 10%,  yL  = 10%/fe 

10-25  as  relative  tolerances.  Do  not  yet  AC/C0  = 5%,y c = 5%/fc 

choose  k,  the  ratio  of  tolerance  to  stand- 
ard deviation. 


(2)  State  the  sensitivities,  sL  and  sc  , com- 
puted previously  (Eq.  10-19)  . 


SL  l/^>  SC  ~ l/<t 


(10-26) 


(10-27) 


(3)  Compute  rf  (and  thus  y f)  from 


T?  =(*LyL)2  + (sc7c)2  (10-28) 


PLC  = 0 because  of  the  s-independence 
assumption . 

(4)  State  the  tolerance  limit  Tf  on  relative 
frequency,  from  Eq.  10-21. 


yf  = (-V*  X 10%/ft)2  +(-'/*  X 5%/fe)2 
= (0.05/ft)2  + (0.025/ft)2  ( 

= 0.0031/ft2  = (0.056/ft)2 
yf  = 5.6%/ft 


Tf  =±4.9  % 


(10-30) 


(5)  Calculate  Tf/yf  which  is  an  indicator  of 
how  well  the  specification  is  being  met. 
Obviously,  if  we  mean  the  same  thing  by 
“tolerance”  for  f as  we  did  for  L and  C, 
then  we  are  exceeding  the  allowed  toler- 
ance. 


Tfhf  = 4.9%/(5.6%/ft)  = 0.88  ft  (10.3: 

The  fraction  of  the  population  which  corre- 
sponds to  0.88ft  will  fall  outside  the  tolerance 
limits  of  ± T( . 


(6)  Estimate  the  failure  probability  of  the 
circuit.  We  must  choose  k.  Try  several 
reasonable  values;  for  each,  lee  the 
Reasonable-Engineering-guess  ( REG )— see 
Table  9-1— and  the  s-normal  distribution 
for  failure  probabilities. 


The  2-sided  probabilities  are  appropriate  since 


deviations  either  way  are  bad. 

Estimated  Failure 

_k_  0.88ft 

Probability 

REG 

Normal 

2.5  2.2 

7.8% 

2.8% 

3.0  2.6 

3.8% 

=*=0.92% 

3.5  3.1 

1.3% 

0.19% 

(10-32) 


The  *value  is  conventional  wisdom  as  mentioned  in  the  text.  Sincethe  choice  c£ both  ft  and 
the  distribution  is  left  to  engineering  judgment  (in  the  absence  of  extensive  tests) , there  is  quite  a 
range  fran  which  to  choose  a failure  probability. 


10-16 


AMCP  706-196 


are  computed  for  each  performance  character- 
istic and  are  quite  similar  to  those  obtained 
by  the  moment  method.  A frequency  dis- 
tribution can  be  computed  for  each  perform- 
ance characteristic.  These  distributions  can  be 
plotted  for  further  interpretation  of  the  data. 
Fitting  a smooth  mathematical  function  to 
the  distributions  often  can  be  helpful  in  evalu- 
ating the  tails  which  tend  to  be  poorly  de- 
fied unless  a large  number  of  replicas  have 
been  computed.  In  no  instance,  of  course, 
ought  the  tails  of  a performance-characteristic 
distribution  extend  beyond  the  worst-case 
limits. 

10-8  METHOD  SELECTION 

In  the  early  stages  of  circuit  design  when 
realistic  tolerances  must  be  selected  for  the 
component  parts  (tolerances  that  will  be 
economical  and  yet  restrict  performance 
within  prescribed  limits),  the  worst-case  meth- 
od is  extremely  useful.  This  method  makes  no 
attempt  to  simulate  the  real  system  closely, 
but  is  intended  to  give  basic  design  informa- 
tion. If  the  circuit  passes  the  worst-case  test, 
the  variability  analysis  can  be  considered  com- 
plete, since  drift  failures  will  not  occur  if 
parameter  tolerances  are  not  exceeded. 

Since  it  is  often  not  feasible  to  modify 
a circuit  so  it  can  pass  the  worst-case  test, 
the  probability  of  successful  operation  must 
be  estimated.  Both  the  moment  and  the 
Monte  Carlo  methods  can  be  used  to  make 
this  estimate.  The  moment  method  is  usually 
less  accurate  because  of  the  omission  of 
higher-order  terms  in  the  propagation-of- 
variance  formula,  but  the  numerical  values 
of  the  partial  derivatives  and  breakdown  of 
variance  are  extremely  useful  in  guiding  the 
modification  of  the  design.  The  Monte  Carlo 
method  is  capable  of  estimating  the  prob- 
ability c£  success  with  high  accuracy  and 
should  be  considered  when  final  approval  of 
a design  is  needed.  The  moment  and  worst- 
case  methods  are  more-  suitable  during  the 
earlier  design  stages,  since  the  Monte  Carlo 
method  provides  little  feedback  or  redesign 
information.  The  component-variability  data 
collected  with  the  moment  or  worst-case 
method  can  be  expanded  later  to  implement 
a Monte  Carlo  analysis. 


10-9  COMPUTER  PROGRAMS 

A number  of  computer  programs  for 
parameter  variation  analysis  are  available  for 
use  by  the  engineer.  Some  of  these  programs 
are  listed  in  Table  10-1. 

10-9.1  A GENERAL  PROGRAM 

A FORTRAN  listing  of  a general  program 
that  implements  nearly  all  of  the  techniques 
discussed  is  given  in  Ref.  8.  It  is  described 
here  briefly.  A flow  diagram  of  the  program  is 
shown  in  Fig.  10-8.  As  can  be  seen  from  the 
figure,  the  program  is  keyed  to  the  subroutine 
which  evaluates  the  performance  model.  To 
make  the  program  applicable  to  any  kind  of 
system,  no  built-in  performance  model  sub- 
routine is  included.  This  subroutine  must  be 
supplied  by  the  user  of  the  program  (Ref.  4). 

The  input  to  the  program  is  a mathe- 
matical description  of  the  system  model  (and 
the  time  behavior  of  the  model,  if  required), 
the  number  of  random  and  fixed  variables 
involved,  and  the  means  or  nominal  values  of 
the  input  variables.  Other  components  of  the 
input  are  the  standard  deviations  or  step  sizes 
in  the  input  variables,  the  input  variable  distri- 
butions, if  available,  and  the  correlations  of 
the  input  variables.  An  additional  input  that  is 
required  for  some  analyses  is  a selection  of 
values  of  the  element  parameters  at  which  the 
performance  model  is  to  be  evaluated.  Addi- 
tional programs  are  described  in  Refs.  9 
through  12. 

10-9.2  ECAPAND  NASAP 

The  Electronic  Circuit  Analysis  Program 
(ECAP)  (Ref.  9)  is  used  widely  and  is  avail- 
able for  use  on  the  IBM  1620, 7000series  and 
360  series  computers  (Ref.  14).  It  has  been 
suitably  modified  for  use  on  a variety  of  other 
computers  and  has  some  valuable  additional 
features  for  parameter  variation  analysis. 

The  basic  versions  cf  ECAP  have  the  fol- 
lowing computational  capabilities  (Ref.  15): 

(1)  For  DC  analysis,  ECAP  computes 
partial  derivatives  c£  voltage  at  a particular 
circuit  node  with  respect  to  a circuit  param- 
eter in  a particular  branch;  sensitivity  of  a 
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PROGRAM 

CODE 

PV-RTI 

MCS-IBM 

MCS-GDC 

PV-LS 

PV-SE 

MANDEX-NAA 

MM-NAA 

MCS-NAA 

VINIt-NAA 

PVM-NAA 


TABLE  10-1.  PROGRAMS  FOR  PVA8 


PROGRAM  DESCRIPTION  REFERENCE 

Eerformance  Variation  analyses;  general  program  4 

for  worst-case,  moments,  simulation,  etc. 

Monte  Carlo  Simulation  for  performance  variation  * 9 

analysis  with  programmed  functional  model. 

Monte  Carlo  Simulation  for  performance  variation  10 

analysis  with  programmed  functional  model. 

Eerformance  Variation  analysis  program  for  systems.  11 

Performance  Variation  analysis  program  using  Monte  12 

Carlo  simulation  with  programmed  mathematical  model. 

Modified  AND  Expanded  worst-case  method  for  3 

analysis  of  circuit  performance  variations  with 
circuit  equations. 

Moment  Method  for  circuit  performance  variation  3 

analysis  with  circuit  equations;  computer  mean 
and  variance;  correlation  included. 

Moment  Method  for  circuit  performance  variation  3 

analysis  with  circuit  equations;  correlation  included. 

Yiu'l.  method  for  circuit  performance  variation  3 

analysis  with  circuit  equations. 

Parameter  Variation  Method  for  circuit  performance  3 

variation  analysis  with  circuit  equations;  one-at-a-time 
and  two-at-a-time  analyses. 


Monte  Carlo  Simulation  for  circuit  performance 
variation  analysis  with  circuit  equations;  correlation 
included. 
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" MEAN 
~ VARIANCE 

" STANDARD  DEVIATION 
" THIRD  AND  FOURTH  MOMENTS 
~ SKEWNESS 
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“ COVARIANCE  MATRIX 
~ RANKING 

s i 

FIT  APPROPRIATE  DISTRIBUTION  | 
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LAGUERRE  POLYNOMIALS 


- CALCULATE  PARTIAL 
DERIVATIVES 

- TAYLOR  SERIES  AP- 
PROXIMATION 

- WORST-CASE  ANALYSIS 

- SENSITIVITY 

- CHECKS  FOR  NON- 
LINEARITY 

L STANDARD  DEVIATION 
OF  PERFORMANCE 
ATTR  IBUTES 


- SENSITIVITY 

- SIGNIFICANT  INTER- 
ACTIONS 

L WORST-CASE 
ANALYSIS 


FIGURE  10-8.  Flow  Diagram  for  General  PVA  Program. 


node  voltage  with  respect  to  a branch  param- 
eter; warst-case  solutions;  standard  deviation 
of  circuit  output  variation;  and  automatic 
parameter  variation,  which  allows  a parameter 
to  be  incremented  over  a range  of  values  with 
a circuit  solution  computed  for  each  value. 

(2)  For  AC  analysis,  aversion  of  ECAP 
includes  a capability  for  automatic  parameter 
variation  analysis.  Additional  capabilities  that 
also  have  been  incorporated  in  ECAP  include 


AC  sensitivity  analysis  and  solution  of  the 
propagation-of-variance  equation  (Ref.  14) . 

The  Network  Analysis  for  System  Appli- 
cation Program  (NASAP)  has  been  developed 
by  the  NASA  Electronics  Research  Center  in 
a cooperative  effort  involving  about  20  users 
of  the  program  (Ref.  16).  NASAP  is  unique 
among  circuit  analysis  programs  in  that  it  uses 
flowgraph  techniques  to  analyze  networks. 
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instead  of  matrix-oriented  techniques.  It  also 
manipulates  circuit  symbolic  parameters 
instead  of  actual  parameters  until  the  final 
step  of  the  analysis,  This  symbol-manipula- 
tion feature  has  some  interesting  ramifica- 
tions, one  of  which  is  the  ability  to  calculate 
partial  derivatives  and  sensitivities  symboli- 
cally (Ref,  17). 

In  addition  to  the  capabilities  noted, 
NASAP  incorporates  an  optimization  pro- 
cedure which  eliminates  from  a circuit  input 
those  parameters  having  less  than  a pre- 
assigned amount  of  influence  on  circuit  per- 
formance parameters.  The  procedure  is,  in 
effect,  a tolerance  analysis  (Ref.  17). 

NASAP  originally  was  written  in  FOR- 
TRAN IV  for  use  on  the  CDC  3600  com- 
puter. It  also  is  now  in  use  on  several  other 
computers. 
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CHAPTER  11  DESIGN  AND  PRODUCTION  REVIEWS 


11-1  INTRODUCTION 

Reviews  ought  to  be  conducted  through- 
out the  life  cycle  of  an  item,  from  concept  to 
field  use.  The  reviews  during  design  and  pro- 
duction are  perhaps  the  most  important.  The 
preproduction  review  is  essential  because 
drawings  and  other  specifications  are  never 
complete,  and  the  design,  as  it  emerges  from 
the  design  group,  rarely  is  directly  suited  for 
mass  production.  Regardless  of  the  arguments 
between  engineering  and  production  about 
who  is  right,  the  production  department’s 
implementation  of  the  drawings  and  specifica- 
tions must  be  reviewed  by  both  the  design 
and  reliability  groups. 

This  chapter  dwells  on  the  design  review 
to  illustrate  the  kinds  of  attention  to  detail 
that  are  required.  Similar  considerations  will 
hold  for  reviews  at  the  other  stages  in  the  life 
cycle. 

The  formal  review  of  equipment  design 
concepts  and  design  documentation  for  both 
hardware  and  software  is  an  essential  activity 
in  any  development  program.  Standard  proce- 
dures ought  to  be  established  to  conduct  a 
review  of  all  drawings,  specifications,  and 
other  design  information  by  the  contractor’s 
technical  groups  such  as  equipment  engineer- 
ing, reliability  engineering,  and  manufacturing 
engineering.  This  review  should  be  accom- 
plished prior  to  the  release  of  design  informa- 
tion for  manufacturing  operations.  Such  a 
review  is  an  integral  part  of  the  design-check- 
ing reviews.  Responsible  members  of  each 
reviewing  department  meet  to  consider  all 
design  documents,  resolve  any  problem  areas 
uncovered,  and  signify  their  acceptance  of  the 
design  documentation  by  approving  the  docu- 
ments for  their  departments. 

Reliability  engineering,  in  conjunction 
with  the  equipment  engineering  groups , ought 
to  conduct  an  intensive  review  of  the  system 
during  initial  design.  The  design  review  in- 
cludes the  following  major  tasks: 

(1)  Analysis  of  environment  and  specifi- 
cations 

(2)  Formal  design  review  of  engineering 
information 

(3)  Reliability  participation  in  all  check- 
ing reviews.  - 


Prior  to  the  formal  design  review,  the 
requirements  defined  in  applicable  military 
and  equipment  specifications  are  reviewed. 
The  expected  environmental  extremes  of  the 
system  are  studied  fce  determine  suspected 
detrimental  effects  on  equipment  perform- 
ance. Checklists,  based  on  these  studies,  are 
prepared  to  assure  that  the  objectives  of 
formal  design  reviews  are  fulfilled. 

The  formal  design  review,  which  is  insti- 
tuted prior  to  the  release  of  drawings,  is  in- 
tended to  do  the  following: 

(1)  Detect  any  conditions  that  could 
degrade  equipment  reliability. 

(2)  Provide  assurance  of  equipment 
conformance  to  applicable  specifications. 

(3)  Assure  the  use  of  preferred  or 
standard  parts  as  far  as  practical. 

(4)  Assure  the  use  of  preferred  cir- 
cuitry as  far  as  possible. 

(5)  Evaluate  the  electrical,  mechanical, 
and  thermal  aspects  of  the  design. 

(6)  Provide  stress  analysis  to  assure  ade- 
quate part  derating. 

(7)  Assure  accessibility  of  all  parts  that 
are  subject  to  adjustment. 

(8)  Assure  interchangeability  of  similar 
subsystems,  circuits,  modules,  and  sub- 
assemblies. 

(9)  Assure  that  adequate  attention  is 
given  to  all  human  factors  aspects  of  the 
design. 

(10)  Assure  that  the  quality  control 
effort  will  be  effective. 

This  formal  design  review  is  conducted 
with  schematic  diagrams,  initial  parts  lists, 
layout  drawings,  design  and  development 
reports,  technical  memoranda,  and  bread- 
board test  results.  To  insure  that  the  recom- 
mendations of  the  design  review  group  are 
carried  out  and  are  incorporated  in  all  re- 
leased drawings,  reliability  engineering  person- 
nel should  attend  all  of  the  find  checking 
reviews. 

A detailed  schedule  for  design  review 
must  be  included  in  program  plans  developed 
for  a system  design  effort.  This  schedule 
shows  the  names  c£  personnel  responsible  for 
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the  review.  The  firaL  program  plans  must  also 
include  copies  of  typical  checklists  to  be  used 
in  the  design  review  program. 

All  major  changes  to  the  system  must  be 
subjected  to  design  review.  This  review  will  be 
similar  to  that  performed  during  initial  design. 
All  subcontracted  portions  of  the  system  are 
also  subjected  to  a design  review.  Recommen- 
dations are  to  be  made  to  subcontractors  for 
corrective  action  as  required,  and  to  the  qual- 
ity control  group  forincoming  inspections. 

11-2  ORGANIZING  FOR  THE  REVIEWS 

Design  review  teams  ought  to  include: 

(1)  Technically  oriented  personnel  from 
all  groups  associated  with  the  product 

(2)  Design  specialists  frcm  groups  that 
have  no  direct  association  with  it. 

Customer  participants  also  may  be  present, 
usually  at  the  critical  firaL  review.  Normally, 
however,  participation  ought  not  to  exceed 
20  people  in  order  to  maintain  effective  con- 
trnL  and  prevent  undue  loss  of  time.  Frequent- 
ly, the  experience  of  the  members  of  the 
design  review  team  provides  the  knowledge 
for  a “design  break-through”  which  might  not 
otherwise  occur. 

The  prime  task  of  the  design  review  team 
is  to  conduct  a detailed  design  review  of  the 
system,  including  subcontracted  items,  during 
the  development  phase  and  to  isdaf  all  de- 
sign changes  during  the  preproduction  phase. 
The  design  review  team  also  vail  review  the 
data  developed  during  system  tests.  The  devel- 
opment phase  design  review  is  divided  into 
two  levels:  (1)  conceptual  review  and  (2) 

development  review.  The  conceptual  review  is 
conducted  after  the  preliminary7  design  is 
complete  and  is  oriented  to  unit  and  subas- 
sembly ^pacifications.  The  developmental 
review  is  conducted  prior  to  release  of  the 
design  to  production  and  is  oriented  to  cabi- 
net and  subassembly  design  (to  validate  the 
actual  hardware  design  for  compliance  with 
cabinet  and  subassembly  specifications).  In 
addition,  special  design  reviews  are  held  when 
significant  reliability  cr  performance  diffi- 
culties are  identified  during  manufacturing  or 
testing-  Data  submissions,  except  for  engi- 
neering drawings,  ought  to  be  as  follows: 


(1)  Drawings,  schematics,  sketches,  flow 
diagrams,  or  specifications  submitted  for 
review  as  part  of  a data  package  are  not  re- 
quired to  be  in  their  final  form  but  must  con- 
tain the  final  infonnation  in  a’clear  complete 
format, 

(2)  All  linework,  symbols,  numbers,  and 
letters  must  be  clearly  discernible  at  nonnal 
desk  top  working  distance, 

(3)  Sketch  ar  drawing  numbers  and 
revision  numbers  will  be  included, 

(4)  Reports  will  include  title,  issue  or  re- 
vision data,  and  originating  individual  or  activ- 
ity. 

The  functions  of  design  review  team 
members  are  briefly  summarized  in  Table 

11-1. 

11-2.1  REVIEW  BOARD  CHAIRMAN 

Personality,  position,  and  technical  com- 
petence are  important  factors  in  the  selection 
of  a review  board  chairman.  The  task  requires 
a high  degree  of  tact,  a sound  knowledge  and 
understanding  of  the  design  requirements,  and 
an  unbiased  point  of  view  concerning  the  pro- 
posed design.  He  ought  not  to  be  a member  of 
the  design  staff  or  of  the  reliability  or  other 
support  groups.  The  configuration  manage- 
ment manager  is  frequently  chosen  for  this 
Dosition. 

The  chairman’s  duties  are  as  follows: 

(1)  To  establish  criteria  for  selecting 
specific  items  for  review  and  the  type  of  re- 
view to  be  conducted. 

(2)  To  schedule  reviews  at  the  earliest 
date  consistent  with  the  design  and  develop- 
ment of  each  item  reviewed. 

(3)  To  coordinate  and  assist  die  design 
organization  in  the  preparation  of  the  design 
data  required  for  the  review. 

(4)  To  insure  that  preliminary  copies  of 
agenda,  drawings,  and  related  data  are  sent  to 
the  appropriate  organizations.  This  must  be 
done  sufficiently  in  advance  of  each  review  to 
facilitate  their  prior  evaluation  and  sub- 
mission of  preliminary  comments  in  prepara- 
tion for  each  review. 

(5)  To  chair  the  design  review  meeting, 
supervise  publication  c£  the  minutes,  evaluate 
comments  resulting  from  reviews,  and  initiate 
followup  action  as  appropriate, 
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TABLE  11-1. 

DESIGN  REVIEW  GROUP.  RESPONSIBILITIES  AND  MEMBERSHIP  SCHEDULE 


GROUP  MEMBER 

RESPONSIBILITIES  , 

Chairman 

Calls,  conducts  meetings  of  group,  and  issues  interim 
and  final  reports. 

Design  Engineer  (s) 
(of  product) 

Prepares  and  presents  design  and  substantiates  decisions 
with  data  from  tests  or  calculations. 

'Reliability  Manager 
or  Engineer 

Evaluates  design  for  optimum  reliability,  consistent  with 
goals. 

Quality  Control 

Manager  or  Engineer 

Ensures  that  the  functions  of  inspection,  control,  and 
test  can  be  efficiently  carried  out. 

Manufacturing 

Engineer 

Ensures  that  the  design  is  producible  at  minimum  cost 
and  schedule. 

Fielld  Engineer 

Ensures  that  installation,  maintenance,  and  operator 
considerations  were  included  in  the  design. 

Procurement 

Representative 

Assures  that  acceptable  parts  and  materials  are  available 
to  meet  cost  and  delivery  schedules. 

Materials  Engineer 

Ensures  that  materials  selected  will  perform  as  required. 

Tooling  Engineer  . 

Evaluates  design  in  terms  of  the  tooling  costs  required 
to  satisfy  tolerance  and  functional  requirements, 

Packaging  and  Shipping 
Engineer 

Assures  that  the  product  is  capable  of  being  handled 
without  damage,  etc. 

Design  Engineers 
(Not  associated  with 
unit  under  review) 

Constructively  review  adequacy  of  design  to  meet  all  ,, 

requirements  of  customer. 

Customer  Representative 
(optional) 

Generally  voices  opinion  as  to  acceptability  of  design 
and  may  request  further  investigation  on  specific 
items. 

'Similar  support  functions  performed  by  maintainability,  human  factors,  value 
engineering,  etc.  , 
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(6)  To  revise  the  system  definition  docu- 
mentation when  the  proceedings  of  a review 
warrant  it. 

11-2.2  DESIGN  GROUP 

The  design  group  prepares  and  transmits 
preliminary  copies  of  agenda,  drawings,  and 
related  data  to  appropriate  organizations  suf- 
ficiently in  advance  of  each  review  to  facili- 
tate their  prior  evaluation,  and  provides  docu- 
mentation, drawings,  and  data  required  for 
each  review.  This  may  include,  as  appropriate: 
block  diagrams,  layouts,  sketches,  schematics, 
interface  data  and  drawings,  detail  drawings, 
weigh  analyses  and  graphs,  appropriate  system 
or  item  specifications,  failure  mode  and  effect 
analyses,  Cause-Consequence  charts  (fault 
trees),  predictive  reliability  estimates,  reli- 
ability block  diagrams,  critical  item  lists,  and 
detail  study  results  (e.g.,  those  from  stress- 
strength  and  parameter  variation  analyses). 

With  support  from  special  groups  such  as 
reliability,  maintainability,  human  factors, 
and  logistics,  the  design  group  plans,  con- 
ducts, and  makes  the  design  review  presenta- 
tion. Ml  design  reviews  must  describe  system 
or  end  item  requirements,  configuration,  how 
the  requirements  have  been  met  by  the  pro- 
posed design,  installation  considerations, 
^sban  or  item  interfaces  with  other  systems, 
ground  support  equipment,  etc. 

Included  in  the  design  review  are  items 
such  as  anticipated  development  schedules; 
reliability,  maintainability,  system  safety, 
human  factors,  and  value  engineering  factors; 
producibility  considerations  including  costs, 
special  tools,  and  facilities  requirements;  trade 
studies;  test  requirements  and  plans;  perform; 
ance  characteristics,  including  inputs,  outputs, -v 
and  tolerances;  and  electromagnetic  interfer-  W 
ence. 

The  design  group  participates  in  the 
preparation  of  minutes  and  the  evaluation  and 
classification  of  comments  resulting  from 
reviews.  They  initiate  configuration  changes  if 
warranted,  followup  on  all  comments  that 
require  further  study,  and  provide  a list  of 
accountability  for  all  design  review  comments 
in  order  to  define  responsibility  for  all  design 
improvements. 


11-2.3  OTHER  REVIEW  TEAM  MEMBERS 

The  formal  inputs  from  specialized  re- 
view team  members  are  defined  by  the  indi- 
viduals responsible  for  the  design  group  pre- 
sentation. The  essential  responsibility  of  the 
specialists  is  to  critique  the  design  from  the 
standpoint  of  the  design  requirements  of  their 
specialty  and  to  offer  recommendations  for 
improvements.  Thus,  reliability  and  other 
support  personnel  contribute  to  a design 
review  by  presenting  data  on  compliance  with 
reliability,  maintainability,  safety,  and  human 
factors  engineering  requirements  and  stand- 
ardization. They  may  propose  study  projects 
to  develop  improvements  in  their  areas  of 
technical  responsibility  and  competence. 

The  production  engineering  staff  can  add 
measurably  to  possible  design  improvements 
by  supplying  manufacturing  research  data  and 
by  applying  review  recommendations  to  the 
refinement  a£  production  and  procurement 
planning. 

Quality  assurance  personnel  can  review 
technical  data  and  documentation;  provide 
quality  assurance  data,  reports,  and  analyses; 
determine  constraints,  qualification  accept- 
ance, and  test  requirements  as  they  apply  to 
the  quality  assurance  program;  and  use  review 
recommendations  to  refine  quality  and 
inspection  planning  techniques. 

11-2.4  FOLLOWUP  SYSTEM 

To  achieve  maximum  results  from  a 
design  review,  a followup  system  must  be 
established  to  insure  that  all  corrective  actions 
are  performed.  All  individuals  concerned  with 
a design  review  must  recognize  their 
responsiblility  for  followup. 


' Design  changes  th  at  have  been  recom- 
mended and  approved  must  be  incorporated 
intb  the  system  design  as  early  as  practical.  A 

proven  technique  is  to  provide  all  design 
change  information  to  a closed  loop  correc- 
tive acfi^n  system  established  for  the  project. 
Good  recordkeeping  will  avert  repeated  cover- 
age of  the  Wie  problems  and  prevent  signifi- 
cant loss  of\nsight.  Good  continuity  and 
followup  enablevA3ch  successive  review  to  be 
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directed  to  new  areas  as  the  system  design 
proceeds  toward  production  and  use. 

11-3  REVIEW  CYCLES 

The  design  review  cycle,  as  subsequently 
described,  must  be  performed  for  both  system 
hardware  and  software-  Both  the  Army  and 
its  contractors  participate  in  the  design  review 
effort.  Typical  phases  are  listed  in  this  para- 
graph. 

11-3.1  TECHNICAL  EXCHANGE  PHASE 

The  design  review  cycle  is  initiated  upon 
receipt  of  the  preliminary  design  data  package 
by  the  contractor’s  design  review  team  from 
the  engineering  group.  Preliminary  data  pack- 
ages contain  all  the  information  necessary  for 
the  performance  of  a design  review.  A mini- 
mum list  of  the  infomation  necessary  for  the 
perfonnance  of  a design  review  is  given  in 
pars.  11-4  and  11-5.  The  independent  consult- 
ants representing  the  various  disciplines  ought 
to  contact  the  counterpart  design  engineer  to 
initiate  technical  exchange.  Subsequent  to 
this,  each  consultant  documents  his  com- 
ments and  recommendations.  The  multidis- 
cipline comments  and  recommendations  will 
be  integrated  by  the  design  team  and  for- 
warded to  the  engineering  group.  A docu- 
mented response  from  engineering  completes 
the  technical  exchange  phase. 

11-3.2  INTERNAL  DESIGN  REVIEWMEET- 
ING/AGREEMENT PHASE 

Formal,  contractor,  design  review  meet- 
ings ought  to  be  held  a minimum  of  once  a 
month.  All  items  in  the  documented  response 
fkom  engineering  must  be  included  in  the 
minutes  of  these  forrral,  internal,  design  re- 
view meetings.  If  the  engineering  response  for 
any  item  does  not  agree  with  the  design  re- 
view team’s  recommendation,  this  item  is  to 
be  discussed  at  the  meeting.  The  purpose  of 
these  meetings  is  to  seek  agreement  on  all 
such  items.  Where  agreement  is  not  achieved, 
available  information  must  be  documented 
and  presented  to  management  for  resolution. 
Minutes  of  internal  design  review  meetings 
record  all  items  covered  at  the  meetings, 
specific  designs  reviewed,  and  decisions  made. 


11  3.3  ARMY  INVOLVEMENT  IN  INTER- 
NAL DESIGN  REVIEW 

At  the  time  of  submission  to  the  con- 
tractor’s design  review  team,  the  Army  is 
furnished  several  copies  of  the  same  prelimi- 
nary data  package(s)  that  are  submitted  to  the 
contractor’s  design  review  team.  The  Army 
uses  the  preliminary  data  packages  for  infor- 
mation only-  All  items  covered  at  the  design 
review  meetings  are  included  in  the  meeting 
minutes.  Army  personnel  can  attend  the  con- 
tractor internal  design  review  meeting  as 
observers  but  do  not  participate  in  the  dis- 
cussions. 

11-3.4  DESIGN  DATA  PACKAGE  PHASE 

The  contractor’s  engineering  group  re- 
vises the  preliminary  data  package  according 
to  the  results  of  the  design  review  activity  and 
agreements  of  the  internal  design  review  meet- 
ing. The  updated  preliminary  data  package  is 
submitted  to  the  design  review  team  for 
review  and  approval.  This  package,  when 
approved  by  the  design  review  team,  is  called 
the  design  data  package.  Design  data  packages 
are  submitted  to  the  Army  for  review  and  are 
placed  under  internal  contractor  documenta- 
tion control. 

11-3.5  CHANGE  DATA  PACKAGE 

All  changes  to  design  data  packages  must 
be  documented.  A change  data  package  is  pre- 
pared and  submitted  for  internal  contractor 
design  change  review.  An  engineering  change 
review  is  performed  to  retain  configuration 
control  during  preproduction  and  production. 
Subsequent  to  contractor  fonral  approval  by 
its  design  review  team,  the  change  data  pack- 
age is  forwarded  to  the  Army. 

1 1-3.6  PERFORMANCE  SPECIFICATION 
CHANGES 

All  performance  specification  change 
proposals  must  be  submitted  to  the  Army  for 
approval-  Changes  to  the  performance 
specification  must  be  accomplished  by 
contract  modificatioqs. 


11-5 


AMCP  706-196 


11-3.7  GOVERNMENT  RESPONSE 

Within  some  reasonable  period  of  time 
after  receipt  of  each  contractor  submission 
(except  for  preliminary  data  packages),  the 
Army  furnishes  the  contractor  with  a detailed 
critique. 

11-3.8  UNSATISFACTORY  DESIGN  DATA 

If  any  design  data  submitted  by  the 
contractor  are  considered  unsatisfactory,  and 
so  documented  by  the  Army  critique,  the 
contractor  must  state  his  planned  action. 

11-3.9  ARMY/CONTRACTOR  REVIEW 
MEETING 

If  requested  by  the  contractor,  comments 
resulting  from  the  Army  reviews  tall  be  dis- 
cussed in  informal  meetings  between  the 
Army  and  the  contractor.  All  items  covered  at 
the  meeting  are  included  in  the  meeting  min- 
utes. 

11-3.10  STANDARD  REVIEW 

System  data  items  that  include  technical 
design  standards  ought  to  be  reviewed  by  the 
contractor's  design  review  team  for  complete- 
ness and  adequacy  as  a design  standard.  Sub- 
sequent to  this  review,  the  detailed  system 
data  are  submitted  to  the  Army  for  review 
and  comment. 

11-3.11  SUBCONTRACTOR  DESIGN  RE- 

..  VIEW 

A design  review  of  subcontracted  items 
must  be  performed.  The  contractor  design 
isflfiw  unit  treats  subcontracted  items  like 
contractor-prepared  items. 

11-4  MINIMUM  REQUIREMENTS  IN  CON- 
CEPTUAL-PHASE REVIEW 

The  applicable  documents  listed  in  sys- 
tem specification  and  data  packages  are  the 
basis  for  the  review.  Each  conceptual  review 
considers  the  results  of  the  engineering  activ- 
ity documented  in  the  data  package.  A data 


package  is  prepared  after  engineering  has  com- 
pleted the  following  activities: 

(1)  Hardware: 

(a)  Prepared  functional  block  dia- 
grams, including  interfaces. 

(b)  Partitioned  the  diagram  into 
units  (cabinets),  new  and  modified. 

(c)  Allocated  system  reliability  re- 
quirements to  the  unit  level.  ” 

(d)  Prepared  a development  specifi- 
cation for  each  unit  to  include  reliability, 
maintainability,  and  mechanical  packaging  re- 
quirements. 

(e)  Prepared  cabinet  block  dia- 
grams- 

(f)  Partitioned  the  cabinet  into  sub- 
assemblies. 

(g)  Allocated  cabinet  requirements 
to  the  subassembly  level. 

(h)  Prepared  design  specifications 
for  each  subsystem  and  circuit  subassembly 
(including  outside  vendor  items).  Include  reli- 
ability, maintainability  , and  mechanical  pack- 
aging requirements. 

(2)  Software: 

(a)  Identified  functions  to  be  imple- 
mented within  the  system  computer,  identi- 
fied subroutines  required  for  each  function, 
and  estimated  memory  and  computation  time 
required  for  each  subroutine. 

(b)  Prepared  a development  specifi- 
cation for  each  computer  subroutine. 

(c)  Defined  major  functions  of  the 
computer  program. 

(d)  Defined  detailed  functional  re- 
quirements. 

(e)  Defined  data  requirements  with 
respect  to  system  environment,  parameters, 
and  capacities. 

The  conceptual -phase  data-package  ought 
to  include  at  least  the  following. 

(1)  Hardware: 

(a)  System  description  that  clearly 
relates  to  the  system  performance  specifica- 
tion while  unmistakably  giving  an  overview  <£ 
system  operation 

(b)  Equipment  development  specifi- 
cation for  each  unit  (cabinet)  with  detailed 
references  to  the  system  performance  specifi- 
cation 

(c)  Functional  block  diagram  that 
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includes  signal  flow  and  characteristics  as  well 
as  clearly  delineating  those  portions  of  the 
system/cabinet  involved  in  each  operational 
mode 

id)  System  interface  tabulation  (in- 
clude input/output  wire  and  cable  data  as  well 
as  signal  information  and  characteristics) 

(e)  Reliability/maintainability  con- 
cepts and  predictions,  including  a detailed 
analysis  of  the  reliability  model 

(f)  Government  Furnished  Equip- 
ment (GFE)  tabulation 

(g)  Contractor  Furnished  Equip- 
ment (CFE)  tabulation 

(h)  Preliminary  installation  planning 

data 

(i)  Digital  logic  characteristics  com- 
pletely specified  (e.g.,  frequency  response, 
noise  margin,  fan  in/fan  out,  impedance,  reli- 
ability, environmental  characteristics,  and 
mechanical  configuration) 

0)  Concept  for  computer-aided  an- 
alysis of  linear  and  digital  circuits  and  mech- 
anical assemblies  and  structures 

(k)  System  human  factors  concepts 

(l)  Clear  description  (electrical, 
mechanical)  of  unit  characteristics  and  func- 
tion as  part  of  the  total  system  (including  a 
complete  and  concise  listing  of  interfacedata 
such  as  signal  levels,  impedances,  and  wave- 
forms) 

(m)  Design  specifications  for  each 
circuit  subassembly  in  the  unit 

(n)  Unit  functional  block  dia- 
gram (~)  jncluding  signal  flow  and  character- 
istics within  the  unit  and  interface  data  (signal 
and  impedance  levels,  wavefonns,  etc.)  pertin- 
ent to  all  inputs  and  outputs  to  the  unit 

(o)  Unit  interfaces  (inputs  and  out- 
puts), including  signal  flow  and  signal  charact- 
eristics (e.g.,  voltage  and  current  levels,  fre- 
quencies, impedances,  and  unusual  condi- 
tions) 

(p)  Unit  power  consumption  esti- 
mate 

(q)  Unit  weight  estimate 

(r)  Unit  maintenance  and  fault  loca- 
tion design 

(2)  Software: 

(a)  Computer  program  development 
specification 

(b)  Computer  interface  definition 

(c)  Timing  and  sequencing  de- 
finition 


(d)  Description  of  major  functions 
of  each  program 

(e)  Input  and  output  data  definition 

(f)  Processing  descriptions 

(g)  Environmental  data 

(h)  System  parameters  and  program 
capacity  requirements- 

11-5  MINIMUM  REQUIREMENTS  FOR 
DEVELOPMENTAL-PHASE  REVIEW 

The  applicable  documents  listed  in  the 
system  specification  and  data  packages  pre- 
viously reviewed  provide  a basis  for  develop- 
mental review  . Each  such  review  considers  the 
results  of  the  conceptual  design  reviews  docu- 
mented in  the  data  package.  Such  packages 
are  prepared  for  each  unit,  circuit  subas- 
sembly (including  outside  vendor  items),  and 
for  the  computer  programs  after  engineering 
has  completed  the  following  design  activities: 

(1)  Hardware: 

(a)  Designed  a unit  (cabinet)  to  per- 
form the  desired  functions. 

(b)  Performed  trade-off  and  design 

analyses . 

(c)  Prepared  engineering  sketches  to 
document  the  cabinet  design  (including  sche- 
matics, block  diagrams,  parts  list  information, 
and  assembly  layouts). 

(d)  Documented  a description  of 
unit  operation  and  recommended  method  of 
test. 

(e)  Designed  subsystem  and  circuits 
to  perform  the  desired  function. 

(f)  Analyzed  and  tested  the  design, 
utilizing  engineering  breadboards  and  com- 
puter-aided analysis  techniques  where  appli- 
cable. 

(g)  Prepared  engineering  schematic 
and  parts  list  information  to  document  the, 
design. 

(h)  Documented  a description  of 
system  operation  and  arecomrr  ended  method 
of  test. 

(2)  Software:  Data  packages  must  be 
prepared  foreach  subroutine  after  engineering 
has  completed  the  following  design  activities: 

(a)  Prepared  computer  program  pro- 
duct specifications. 

(b)  Specified  functional  allocations. 

(c)  Prepared  storage  allocations. 
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(d)  Prepared  functional  flow  dia- 
grams. 

(e)  Prepared  narrative  descriptions. 

(f)  Defined  modularity. 

(g)  Selected  subroutines. 

The  developmental  data  package  ought  to 
include  at  least  the  following. 

(1)  Hardware: 

(a)  Engineering  schematics,  block 
diagrams,  interunit  wiring,  and  parts  list  infor- 
mation 

(b)  Nonstandard  electrical  and 
mechanical  part  specification  sheets 

(c)  Description  of  unit  operation 
supporting  compliance  with  unit  specification 

(d)  Recommended  method  of  cali- 
bration, alignment,  and  test 

(e)  Reliability  prediction  for  the 
unit  (include  electrical  and  mechanical  stress 
cfeta) . The  prediction  ought  to  include  a de- 
tailed explanation  of  the  reliability  model,  in- 
cluding substantiated  failure  rates  and  hard- 
ware content  of  each  block  of  the  reliability 
model. 

(f)  Front  panel  drawings  of  cabinets 
having  display  and  control  functions  (include 
human  factors  data) 

(g)  Mechanical  design  layouts  and 
assembly  diagrams  (include  structural  and 
thermal  analyses) 

(h)  Engineering  schematic  and  parts 
list  information 

(i)  Description  cf  circuit  operation 
supporting  compliance  with  circuit  specifi- 
cations 

(j)  Reliability  prediction  for  the 
subassemblies  (include  electrical  and  mech- 


anical stress  data).  The  model  used  as  the 
basis  for  these  predictions  will  be  included. 

(k)  Information  such  as  signal  flow 
paths,  signal  levels,  impedances,  gains,  wave- 
forms, bias  levels,  Boolean  ■ expressions,  or 
truth  tables  ought  to  be  shown  on  schematics 
car  otherwise  provided. 

(l)  Maintainability  analysis  data 

(m)  A variability  analysis  ought  to 
be  performed.  The  analysis- will  consider  the 
effects  of  component  tolerances,  random  part 
selection,  aging,  and  environmental  and  elec- 
trical stresses.  The  method  will  be  selected 
from  the  following:  worst-case,  moment,  or 
Monte  Carlo. 

(n)  Description  of  EMI/EMC  sup- 
pression techniques 

(o)  Analysis  of  personnel  hazard 

problems 

(p)  Test  point  selection,  identi- 
fication, and  tabulations. 

(2)  Software: 

(a)  Computer  program  product 
specification 

(b)  Computer  program  and  sub- 
routine descriptions 

(c)  Subroutine  listings. 

11-6  CHECKLISTS 

Checklists  are  useful  as  reminders.  A list 
of  items  is  prepared  for  the  design  review 
tean.  Each  factor  is  evaluated  separately  dur- 
ing the  design  review,  and  is  documented  to 
substantiate  the  decisions  reached,  Atypical 
design  review  checklist  is  presented  in  Table 
11-2.  Appendix  A contains  a detailed  set  of 
checklists  that  can  be  used  by  Army  engineers 
for  evaluating  a variety  of  systems, 
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Design  Title 


No.  Item 

1.  System  Constraints 

a.  Success  Criteria 

b.  Environmental  Stresses 

c.  Compatibility  Factors 

d.  Use-  Skill  Levels 

2.  Feasibility  Study 

3 Reliability  Apportionment 
4.  Preliminary  Reliability  Review 
5 Tradt-off  Studies 

6.  Functional  Schematics 

7.  Block  Diagram 

8.  Cause  and  Effect  Analysis 

9.  Worst  Cose  Analysis 

10.  Subsystem  and  Equipment  Reliability  Prediction. 
4.  Part  Failure  Rate  Method 

b Safety  Margin  Method 

c.  Drift  Rate  and  Tolerance  Method 

11.  Intermediate  Design  Review 

12.  Tlme/Cye:le  Reeordlnj  Requirements 
13  Failure  Reporting  Requirements 

14.  Serialization  Requirements 
15  Procurement  Specification  Review 

16.  Vendor  Proposal  Review 

17.  Source  Selection  Review 

18.  Parts  Selection  and  Application  Review 

19.  Reliability  Slgnoff  ■ Top  Assy.  & Inst.  Dwgs. 

20.  Vendor  Design  Review 


Number 


Completed 

Responsibility 

Notes  and  Comments 

Design 

Reliability 

D 

X 

D 

X 

D 

X 

D 

X 

□ 

X 

R 

D 

R 

□ 

X 

D 

X 

D 

X 

■ 

D 

IB 

D 

■ 

0 

X 

■ 

■ 

D 

□ 

■a 

W— i 

D 

R 

□ 

X 

D 

X 

D 

X 

R 

R 

I 

R 

D 

X I 

R 
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TABLE  11-2.  RELIABILITY  ACTIONS  CHECKLIST  (con.) 


Design  Titk 

Number' 

Notes  and  Comments 

No.  Item 

— 

Compltttd 

Responsibility 

Design 

Reliability 

21,  Critical  Design  Review 

D 

R 

22,  Procees  Controls 

D 

X 

23.  Manufacturing  Procedure  Controls 

D 

X 

24,  Qualification  Test  Review 

0 

X 

25.  Acceptance  Test  Review 

D 

X 

26.  Integration  Test  Review 

D 

X 

27,  Reliability  Demonstration  Test  Review 

D 

X 

28.  System  Test: 

*.  Test  Requirements  Review 

D 

X 

b.  Test  Plans  Review 

D 

X 

c.  Reliability  Torts 

R 

29.  Reliability  Summery  Shoot 

R 

D Prim*  Action  by  Designer— check  off,  sign  and  date  as  completed. 

R . Prime  Action  by  Reliability  Enginoar— chock  off,  sign  and  date  at  completed, 
X • Chock  by  Reliability  Engineer— Initial  and  det*. 


) 


) 
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APPENDIX  A DESIGN  DETAIL  CHECKLISTS 


A -1  INTRODUCTION 

In  Chapter  lithe  concept  of  checklists  is 
discussed.  This  appendix  provides  several 
checklists  addressed  to  specific  design  features 
that  influence  reliability.  These  checklists 
ought  to  be  used  in  the  formal  design  review 
and  will  also  be  helpful  in  the  day-today 
development  of  a design.  Checklists  always 
should  be  reviewed  before  applying  them.  In- 
applicable items  are  deleted,  and  the  list  is 
supplemented  with  additional  requirements 
that  are  appropriate  for  the  specific  design 
being  evaluated.  Unique  developments  or 
problems  may  require  special  checklists. 

A-2  PROPULSION  SYSTEMS 

(1)  Specified  pressure  levels  for  leak 
checks  wH  not  damage  sensitive  components 
(diaphragms,  burst  discs,  etc.). 

(2)  Electrical  systems  within  engine 
areas  will  operate  when  exposed  to  high  temp- 
erature and  propellants. 

(3)  Propulsion  system  installation 
includes  heat  protection  for  primary  struc- 
ture. 

(4)  Shutdown  or  “zero  thrust”  capa- 
bility is  included  if  a test-range  launch  is  pro- 
posed. 

(5)  All  materials  are  proved  compatible 
with  fuel  or  propellant. 

(6)  All  lines  and  components  are  prop- 
erly identified. 

(7)  Critical  functions  on  propulsion 
systems  are  monitored. 

(8)  Turbines  have  minimum  possibility 
of  tank  damage  in  case  of  overspeed  failure. 

(9)  Cartridge  starters  and  other  engine 
ordnance  are  protected  from  inadvertent  igni- 
tLcn. 

(10)  Heat  isolation  is  specified  whenever 
structure,  electrical  components,  or  other 
heat-sensitive  systems  can  be  damaged  by  high 
temperature. 

(1  l)Fuel  tanks  are  not  located  in,  or 
above,  engine  compartments. 

(12)  Subsystems  located  near  engine  hot 
sections  are  protected  from  heat. 

(13)  Nuts,  bolts,  and  fittings  that  can 


cause  leakage  are  mechanically  locked  or 
wired. 

(14) Reservoir  caps  have  an  indicator 
showing  closed  and  locked  positions. 

(15)  Filler  cap  access  covers  cannot  be 
installed  without  first  locking  reservoir  cap. 

(1 6)  Flammable  fluid  tanks  include  shut- 
off valves. 

(17)  Interlocks  are  provided  between 
fuel  valves  and/or  tank  valves  to  prevent  oil 
tank  shutoff  while  engine  is  operating. 

(18)  Oil  coolers  are  heat  isolated  and  not 
located  in  the  engine  hot  section. 

(19)  Auxiliary  power  unit  compartments 
are  ventilated. 

(20)  Pressure  relief  is  specified  if  the  oil 
cooler  is  designed  for  less  than  200  psi. 

(21)  Air  induction  systems  have  no 
items  which  can  be  ingested  into  the  engine. 

(22)  Particle  separation  is  specified  for 
helicopter  induction  systems. 

(23)  Engine  inlet  screens  are  retractable. 

(24)  Ice  removal  and  detection  are  pro- 
vided for  engine  inlet  screens. 

(25)  Overspeed  protection  is  provided 
for  engine  starters. 

(26)  Continuous  cil  level  indication  and 
warning  are  provided. 

(27)  Filters  are  provided  with  a bypass 
feature  immune  to  clogging  and  icing. 

(28)  Chip  detectors  are  provided  in 
engine  sumps. 

(29)  Fuel,  oil,  and  alcohol  system  drain 
outlets  are  located  so  that  no  drainage  can 
enter  induction  systems. 

A-3  FUEL/PROPELLANT  SYSTEM 

(1)  Incompatible  systems  are  separated 
sufficiently  to  prevent  inadvertent  mixing. 

(2)  Adjacent  incompatible  systems  are 
designed  so  that  it  is  impossible  to  intercon- 
nect. 

(3)  Components  are  qualified  for  use 
with  the  system  fuel  or  propellant. 

(4)  Systems  are  identified  by  system 
function,  commodity,  pressure,  and  direction 
of  flow. 

(5)  Insulation  is  nonabsorbent  and  can- 
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not  react  chemically  with  the  system  com- 
modity. 

(6)  Cleaning  agents  cannot  be  retained 
in  the  system. 

(7)  Tank  pressure  will  be  relieved  prior 
to  exceeding  structural  limitations. 

(8)  Components  and  systems  are  loca- 
ted to  minimize  danger  of  ignition  in  hazard 
areas. 

(9)  Electrical  equipment  is  approved 
for  operation  with  the  fiel  or  propellant. 

(10)  All  possible  connectors  have  been 
omitted  from  inhabited  areas. 

(11)  Lines  are  routed  to  minimize  the 
effects  of  leakage. 

(12)  Structural  support  is  provided  for 
heavy  components. 

(13)  Heat  resistant  lines  are  provided  in 
potential  fee  areas. 

(14)  Reference- pressure  lines  are  pro- 
tected from  freezing  at  high  altitude. 

(15)  Electrical  controls  are  protected 
from  short  circuits. 

(16)  Flow  of  propellant  stops  if  line 
ruptures. 

(17)  Proper  cleaning  levels  are  specified. 

(18)  System  component  interchange 
requirements  are  specified. 

(19)  Thermal  overheat  protection  is  pro- 
vided where  applicable. 

(20)  Effects  cf  fuel  or  propellant  leak- 
age have  been  minimized. 

(21)  Static  electricity  protection  is  pro- 
vided. 

(22)  Fuel  tank  locations  minimize  ef- 
fects of  lightning  strikes. 

(23)  Fuel  and  propellant  tanks  are  loca- 
ted for  maximum  crash  protection. 

(24)  Ventilation  and  drainage  are  pro- 
vided where  leakage  into  confined  areas  is 
possible. 

(25)  Fuel  tanks  are  not  located  in 
engine  compartments. 

(26)  Tcrics  are  located  to  minimize  ef- 
fects cf  leakage  near  engine  compartments. 

(27)  Fuel  t^nks  are  not  located  in  the 
plane  of  the  engine  turbine. 

(28)  Effects  of  vapors  are  minimized  in 
engine  compartments,  crew  compartments,  in- 
compatible electrical  equipment,  and  hot  air 
bleed  ducts  by  usirg  vapor  and  liquid  seals. 

(29)  Single  failure  of  a tank  pressuriza- 


tion system  will  not  exceed  tank  structural 
limitations. 

(30)  Vent  systems  safely  dispose  of  haz- 
ardous vapors. 

(31)  Lines  avoid  inhabited  areas. 

(32)  Closed  loop  venting  is  provided  for 
toxic  hazards. 

(33)  Jettisoned  fuel  will  not  impinge  on 
the  vehicle, 

(34)  Materials  are  qualified  for  use  with 
the  system  commodity. 

(35)  Pressure  relief  and  bleed  allow  for 
cryogenic  expansion. 

(36)  Reactions  of  high  energy  cryo- 
genics are  understood  and  allowed  for  in  the 
system  design. 


(1)  A component  is  designed  so  that  it 
cannot  be  installed  backwards.  Directional 
arrows  and  color  codes  are  in  addition  to  posi- 
tive mechanical  constraints,  not  in  lieu  of 
them. 

(2)  Specific  design  instructions  are  pro- 
vided for  system  proof  cheek. 

(3)  All  materials  have  been  checked  for 
fluid  compatibility  and,  where  compatibility 
is  doubtful  car  unknown,  tests  have  been 
made. 

(4)  Emergency  systems  are  completely 
independent  of  primary  systems. 

(5)  A pressure  regulator  accompanies 
each  power  pump. 

(6)  Ground  test  connectors  are  pro- 
vided. 

(7)  No  possibility  exists  for  inter- 
connecting pressure  and  return  systems. 

(8)  Internal  surfaces  have  rounded  cor- 
ners and  do  not  invite  fatigue  failure. 

(9)  System-routing  bypasses  inhabited 

areas. 

(10)  Control  system  filters  are  cf  the 
no-bypass  type. 

(11)  Back-up  rings  are  provided  where 
pressures  can  cause  0-ring  stress. 

(12)  Sharp  comers  are  eliminated  to  re- 
duce installation  damage. 

(13)  Nonflammable  hydraulic  fihiiri  is 
specified. 

(14)  Primary  control  systems  are  separ- 
ate and  have  no  other  function. 
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(15)  Pressure  range  does  not  exceed 
15,000  psig.  and  peak  system  pressure  does 
not  exceed  135  percent  of  design  operating 
pressure. 

(16)  Fluid  temperatures  do  not  exceed 
those  specified  in  MIL-H-5440. 

(1 7)  Reservoirs  are  located  for  maxi- 
mum protection  and  never  located  in  the 
engine  compartment. 

(18)  Fluid  does  not  leak  through  reser- 
voir vents. 

(19)  No  gas  from  gas  pressurized  reser- 
voirs is  introduced  into  the  fluid. 

(20)  Filters  are  consistent  with  contami- 
nation level  required. 

(21)  Specified  preoperational  testing  is 
strictly  controlled  to  prevent  excessive  system 
wear. 

(22)  Where  ground  test  connections  are 
provided,  pressure  line  is  removed  prior  to 
removing  the  return  line. 

A-5  PRESSURIZATION  AND  PNEUMATIC 

SYSTEMS 

(1)  Storage  pressure  can  be  bled  off  to 
allow  replacement  of  components.  Pressure 
readout  is  provided  to  insure  that  pressure  is 
below  hazard  levels. 

(2)  System  is  protected  so  that  a regul- 
ator malfunction  will  not  cause  downstream 
system  failure. 

(3)  Relief  valves  will  initially  (transient 
conditions)  limit  system  pressure  to  no  higher 
than  110  percent  of  working  pressure. 

(4)  Reservoirs  and  storage  vessels  have 
shutoff  valves  for  maintenance. 

(5)  Adjacent  or  incompatible  system 
pressure  connectors  are  keyed  or  sized  so  that 
it  is  physically  impossible  to  connect  the 
wrong  unit  or  pressure  level. 

(6)  All  lines  are  identified  by  contents, 
pressure,  and  direction  of  flow. 

(7)  Separate  pressurization  sources  are 
specified  downstream  of  primary  regulation 
when  pressurizing  noncompatible  commodi- 
ties. 

(8)  Pressure  relief  is  specified  where 
source  pressure  can  exceed  the  design  levels  of 
the  system. 

(9)  Trapped  gas  can  be  bled  from  be- 
tween components. 


(10)  Relief  valves  exceed  the  maximum 
flow  capacity  of  the  pressure  source. 

(11)  Inert  gases  cannot  be  introduced 
into  inhabited  areas. 

(12)  Proper  proof  checks  are  performed 
as  specified. 

(13)  If  system  relief  is  not  provided, 
safety  factors  are  sufficient  to  contain  safely 
the  source  pressure. 

(14)  Relief  valVb  outlets  are  ported  dir- 
ectly to  the  atmosphere. 

(15)  Lubricants  and  other  materials  are 
acceptable  for  use  with  the  system  gas. 

(16)  Pressure  reservoir  type  and  temper- 
ature rating  are  correct  for  the  system  work- 
ing range. 

(17)  Components  and  systems  are  quali- 
fied and  acceptable  for  use  in  the  intended 
environment. 

(18)  Selection  of  compressions  has  con- 
sidered explosion  hazards. 

(19)  Check  valves  are  placed  to  prevent 
critical  air  loss. 

(20)  Lines  or  components  are  protected 
from  damage  due  to  baggage  and  equipment 
stowage  or  personnel  access. 

(21)  Routing  of  inert  or  toxic  gas  sys- 
tems avoids  inhabited  areas. 

(22)  Hot  air  ducts  are  routed  or  insula- 
ted to  protect  structure  from  overheat. 

(23)  All  direct  pressure  readout  Bour- 
don tube  gages  are  equipped  with  shatter- 
proof glass  and  blow-out  plugs. 

(24)  Components  cannot  be  installed 
backwards. 

A-6  ELECTRICAL/ELECTRONIC  SYSTEMS 

(1)  Materials  have  been  selected  with 
due  consideration  for  operational  environ- 
ment such  as  explosive  or  corrosive  atmo- 
spheres. 

(2)  It  is  not  possible  to  ignite  or  contri- 
bute to  the  ignition  of  adjacent  materials  re- 
gardless of  the  operational  atmosphere. 

(3)  Materials  will  not  emit  toxic  or 
explosive  gases  when  operated  at  elevated 
temperatures. 

(4)  Use  of  dissimilar  metals  in  contact 
is  avoided. 

(5)  Design  philosophy  considers  the 
most  extreme  possible  environment. 
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(6)  System  operation  is  not  degraded 
by  temperature  extremes. 

(7)  System  design  provides  compensa- 
tion such  as  hermetic  sealing  and  pressuriza- 
tion for  all  pressure-sensitive  elements. 

(8)  Components  used  in  areas  with 
flammable  fluids  are  incapable  of  causing  igni- 
tion. 

(9)  Wiring  and  component  identifica- 
tion are  proper. 

(10)  Routing  of  wires  and  location  of 
components  will  not  impose  undue  mech- 
anical strain  on  termination  points  under  any 
combination  of  anticipated  service  conditions. 

(11)  Routing  of  wires  and  location  of 
components  do  not  create  interference  with 
adjacent  systems. 

(12)  Connections  and  terminations  are 
at  an  absolute  practical  minimum. 

(13)  Sensitive  circuits  are  isolated  where 
degradation  can  be  induced  by  adjacent  cir- 
cuits. 

(14)  Positive  protection  is  provided  for 
terminal  blocks  to  prevent  shorts  resulting 
from  contact  with  miscellaneous  debris  or 
from  elements  of  the  environment. 

(15)  Connectors  are  limited  only  to 
those  applications  requiring  frequent  discon- 
nection. 

(16)  Sufficient  space  is  allowed  around 
connectors  for  engaging  and  disengaging,  par- 
ticularly where  wrenches  are  required. 

(17)  Termination  of  power  and  signal 
leads  on  adjacent  pins  of  connectors  is 
avoided. 

(18)  Elements  of  a redundant  system  do 
not  pass  through  the  same  single  connector  as 
elements  of  the  primary  system. 

(19)  Special  tools,  materials,  and  pro- 
cesses clearly  are  specified  in  the  design. 

(20)  All  reasonable  effort  has  been  ex- 
pended to  eliminate  the  possibility  of  the 
system  contributing  to  flame  propagation  or 
toxic  outgassing. 

(21)  Polyvinyl  chloride  or  other  low 
temperature  polymers  are  not  used  as  wire  in- 
sulation (high  temperatures  are  always  a 
hazard). 

(22)  External  power  receptacles  are  lo- 
cated as  far  as  possible  from  points  of  poten- 
tial flammable  vapor  or  fluid  concentration. 

(23)  Lead-acid  batteries  are  vented  to 
areas  where  ignition  is  not  possible. 


(24)  Battery  vent  outlets  are  designed  to 
eliminate  vent  system  backflow  and  so  that 
battery  acid  cannot  be  ejected  from  the  vent 
outlet. 

(25)  Equipment  is  protected  from  light- 
ning strikes. 

(26)  The  basic  structure  has  been  analy- 
zed to  insure  compliance  with  electrical  bond- 
ing requirements,  particularly  in  areas  of 
discontinuity. 

(27)  Electrical  shielding  is  specified 
wherever  it  is  necessary  to  suppress  radio- 
frequency interference  and  other  sources  of 
spurious  electrical  energy. 

(28)  Circuits  and  equipments  are  pro- 
tected from  overload. 

(29)  It  is  not  possible  to  induce  a 
dangerous  vehicle  circuit  overload  from  a mal- 
function of  the  ground  system  in  the  power 
circuits. 

(30)  It  is  not  possible  to  induce  a dang- 
erous ground  system  circuit  overload  from  a 
malfunction  of  the  vehicle  power  circuits. 

(31)  Primary  and  redundant  system  cir- 
cuits are  not  supplied  from  the  same  power 
bus  or  circuit  breaker. 

(32)  Fuses  and  circuit  breakers  are 
easily  accessible  and  are  provided  with  a visual 
means  to  indicate  their  condition  (open  or 
closed). 

(33)  All  elements  requiring  periodic 
service  are  accessible. 

(34)  Protection  is  provided  from  the 
hazards  of  loose  articles,  tools,  and  debris. 

(35)  Access  covers,  components,  or 
equipment  requiring  specific  installation  ori- 
entation have  asymmetric  mounting  features. 

(36)  Access  is  designed  for  easy  hand- 
ling of  heavy  components. 

(37)  Interlocks,  shielding,  safety  guards, 
barriers,  and  warning  markings  have  been 
specified  where  a personnel  hazard  can  exist. 

(38)  Handholds,  mechanical  guides,  rails 
or  slides  are  specified  wherever  handling  of 
slippery,  bulky,  heavy,  or  otherwise  hard-to- 
handle  equipment  is  involved. 

(39)  Electrical  wire  bundles  avoid  routes 
adjacent  to  fuel  lines,  hot  air  ducts,  or  mech- 
anical linkages. 

(40)  High  temperature  wire  and  cable 
insulation  is  specified  for  designated  fire 
zones  and  near  high  temperature  sources. 

(41)  Routing  provides  for  slack  and  a 


A-4 


AMCP  706-196 


service  loop  with  enough  excess  wire  for  three 
connector  replacements . 

(42)  Wires  attached  to  normally  moving 
parts  are  routed  to  twist-with  rather  than 
bend -across  adjacent  moving  parts. 

(43)  Supports  are  provided  to  prevent 
abrasion  or  chafing  of  wires  and  cables. 

(44)  System-verification  test-circuits  do 
not  indicate  the  command;  rather,  they  indi- 
cate the  actual  response  of  the  system. 

(45)  Power  application  will  not  actuate 
critical  circuits  as  a result  of  function  sw  itches 
that  may  be  cycled  without,  indicating  the 
on-off  position  during  a power-off  phase  (i.e., 
push-on/push-off  switches). 

(46)  Complex  system  operational  .test 
requirements  are  minimized  during  actual  use. 

(47)  Continuous  monitoring  is  provided 
for  tests  requiring  judgments  rather  than 
standards. 

(48)  Test  points  are  provided  for  rapid 
malfunction  isolation. 

(49)  Connectors  and  other  delicate  pro- 
trusions cannot  be  used  as  footholds  or  for 
mechanical  leverage. 

(50)  Maintainability  specifications 
identify  any  hazards  involved  in  removing,  re- 
placing, and  testing  of  elements  in  the  system. 

(51)  .All  power  can  be  isolated  from  spe- 
cific equipment  to  allow  maintenance  or 
removal. 

A-7  VEHICLE  CONTROL  SYSTEMS 

(1)  Design  is  as  simple  as  possible  for 
the  task  it.  will  perform. 

(2)  Electrical  and  mechanical  compon- 
ents are  compatible  mutually  and  with  the 
anticipated  service  environment. 

(3)  Limiting  devices,  emergency  dis- 
connects, alternate  systems,  or  other  safety 
measures  are  incorporated  to  safeguard  criti- 
cal parameters  if  a malfunction  occurs. 

(4)  Circuit  protection  devices  do  not 
exist  in  signal  circuit  or  in  other  circuits 
where  unsafe  control  motions  of  the  vehicle 
would  occur  if  the  device  opened. 

(5)  Possibility  of  electrical  cross-con- 
nections or  phase  reversals  is  minimized. 

(6)  No  component  or  element  of  the 


system  will  interfere  with  crew  rescue  or  es- 
cape. 

(7)  Adequate  visual  indication  of  the 
system  operational  status  is  presented  to  con- 
cerned crew  members.. 

(8)  Interlocks  or  limiting  devices  pro- 
tect the  structure  from  maneuvers  in  excess  of 
the  structural  limit  toad  factor. 

(9)  Redundant  emergency  power  sys- 
tems are  provided.  — 

(10)  Installation  requirements  minimize 
the  system  vulnerability  to  defined  mission 
hazards  such  as  enemy  action  and  environ- 
mental extremes. 

(11)  Installation  requirements  provide 
the  maximum  serviceability  and  maintenance 
features  with  a minimum  of  specialized  tools 
or  procedures. 

(12)  Installation  requirements  insure 
that  position-sensitive  components  can  be 
installed  only  in  their  proper  orientation. 

(13)  Manual  overpower  capability  is 
provided  with  the  control  system  fully  en- 
gaged and  operating  (piloted  aircraft). 

(14)  Elements  of  the  system  are  routed, 
covered,  or  otherwise  protected  from  jam- 
ming fzcm  dropped  or  loose  items,  mainte- 
nance operations,  cargo  shift,  etc. 

(15)  Elements  of  the  system  are  protect- 
ed from  moisture  or  fluid  accumulation,  by- 
draining  potential  fluid  traps.  In  addition  to 
normal  corrosion  hazards,  trapped  fluids  can 
freeze  at  high  altitudes  and  jam  critical  con- 
trol elements. 

(16)  Elements  of  stability,  accuracy, 
and  reliability  have  been  evaluated  and  veri- 
fied for  each  component  of  the  guidance  and 
control  system. 

(17)  There  is  a means  of  verifying  satis- 
factory operation  of  each  redundant  path  at 
any  time  it  is  determined  that  the  system  or 
subsystem  requires  testing. 

(18)  Redundant  paths  of  the  system  are 
located  such  that  an  event  that  damages  one 
path  is  not  likely  to  damage  the  other. 

(19)  Failure  in  any  portion  of  the  sys- 
tem will  not  cause  or  create  additional  or 
cumulative  hazards. 

(20)  Guards  are  provided  over  bolted 
ends  of  torque  tubes. 
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(21)  Unsymmetrical  components  cannot 
be  installed  incorrectly. 

(22)  Consideration  has  been  given  to 
pulley  diameter  versus  cable  wrap  angle  and 
applied  force. 

(23)  Control-column  openings  are  cov- 
ered by  flexible  boots. 

(24)  Control  cables  are  isolated  effec- 
tively or  protected  from  electrical  equipment. 

(25)  Control  mechanisms  are  located  to 
afford  maximum  protection  to  preclude  pos- 
sibility of  j amming  o r damage. 

(26)  Routing  of  cables,  push-pull  rods, 
and  torque  tubes  considers  structural  deflec- 
tion and  its  effect  on  function. 

(27)  Bolt  length  or  reverse  bolt  installa- 
tion will  not  cause  system  interference. 

(28)  Sleeves,  rub-strips,  or  guards  are 
provided  where  contact  with  stationary  ob- 
jects is  possible. 

(29)  Provisions  are  made  for  frequent 
inspection  of  fatigue-prone  areas. 

(30)  Inspection  plates  or  access  covers 
will  not  interfere  with  movement  if  installed 
incorrectly. 

(3  1)  Structural  deflection  will  not  cause 
cables  to  slack  sufficiently  to  cause  fouling. 

(32)  Guards  are  installed  on  all  vertical 
pulleys  to  prevent  jamming  by  foreign  ob- 
jects. 

(33)  Inspection  doors  are  hinged  from 
the  top  to  prevent  falling  into  any  mech- 

anl.an. 

(34)  Bracket  attachment  structure  is 
reinforced  properly  to  accept  applied  loads 
and  repeated  stresses. 

(35)  Actuating  arms  and  levers  are  pro- 
vided with  pins,  bolts,  or  serrations  to  prevent 
slippage. 

(36)  Unfavorable  working  conditions 
will  not  cause  maintenance  errors. 

(37)  Tumbuckles  and  push-pull  rods  am 
not  subjected  to  bending  forces. 

(38)  Universal  joints  are  provided  where 
torque  tube  misalignment  can  be  excessive. 

(39)  Rod  ends  have  rounded  threads. 

(40)  Corrosion-resistant  materials  are 
specified  where  leaking  acid  or  other  corrosive 
liquids  can  contact  mechanisms. 

(41)  Insert-bushings  are  used  in  attach- 


ment fittings  in  place  of  removable  washers. 

(42)  Bolts  are  specified  to  attach  rod 
ends  to  hollow  tubes. 

(43)  It  is  impossible  to  cross-connect  in- 
advertently any  control  cable  or  rod  to  the 
wrong  fitting. 

(44)  Pulleys  are  positively  attached  to 
the  bearing  hub. 

(45)  Incorrect  bolt  length— ^/ill  not  cause 
system  interference. 

(46)  System  and  its  components  are 
compatible  in  all  cases  from  the  standpoint  of 
durability,  deflections,  wear,  and  the  danger 
of  one  component  or  system  creating  a hazard 
by  proximity  to  other  components  or  sys- 
tems, 

(47)  Fabrication  techniques  have  not 
subjected  materials  to  temperatures  or  stresses 
which  can  affect  design  strength. 

A-8  GUIDANCE  AND  NAVIGATION 
SYSTEMS 

(1)  Design  will  be  as  simple  as  possible 
for  the  task  it  will  perform. 

(2)  Electrical  and  mechanical  compon- 
ents are  compatible  one  with  the  other,  and 
with  the  anticipated  service  environment. 

(3)  Limiting  devices,  alternate  systems, 
or  other  safety  measures  are  incorporated 
when  feasible  to  safeguard  critical  parameters 
if  a malfunction  occurs. 

(4)  No  circuit  protection  devicesexist 
in  signal  circuits,  or  in  other  circuits  that  con- 
trol vehicle  motion  and  where  opening  off 
such  a device  would  produce  unsafe  motions. 

(5)  Possibility  of  electrical  cross  con- 
nections or  phase  reversals  is  minimized. 

(6)  Elements  c£  stability  and  accuracy 
have  been  evaluated  and  verified  for  each 
component  of  the  guidance  and  navigation 
system. 

(7)  System,  self-check  features  are  pro- 
vided to  allow  the  operator  to  detect  the 
presence  of  systematic  random  or  cumulative 
error. 

(8)  A fail-safe  or  redundant  system  de- 
sign philosophy  is  applied  in  a manner  consist- 
ent with  mission  objectives, 

(9)  Redundant  or  double-redundant 
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design  techniques  are  considered  when  critical 
parameters  are  displayed  and  arc  essential  dur- 
ing approach  and  landing. 

(10)  There  is  a means  of  verifying  satis- 
factory operation  of  each  redundant  path  at 
any  time  the  system  or  subsystem  is  deter- 
mined to  require  testing 

(11)  Redundant  paths  of  the  system  are 
located  so  that  an  event  that  damages  one 
path  is  not  likely  to  damage  the  other. 

(12)  No  element  cf  the  guidance  or 
navigation  system  will  interfere  with  crew 
escape. 

(13)  Installation  requirements  minimize 
the  system  vulnerability  to  defined  mission 
hazards  such  as  enemy  action  or  enmon- 
mental  extremes. 

(14)  Installation  requirements  provide 
the  maximum  serviceability  and  maintenance 
features  with  a minimum  of  specialized  tools 
or  procedures. 

(15)  installation  requirements  insure 
that  position-sensitive  components  can  be 
installed  only  in  their  proper  orientation. 

(16)  Adequate  visual  indication  of  the 
system  operational  status  is  presented  to  con- 
cerned crew  members. 

(17)  Minimum  direct  forward  visibility 
is  not  severely  limited  by  the  installation  of 
any  navigational  system, 

A-9  COMMUNICATION  SYSTEMS 

(1)  Redundancy  is  incorporated  where 
required. 

(2)  Single  component  failure  will  not 
damage  or  diminish  the  use  of  redundant  or 
related  systems. 

(3)  Redundant  systems  can  be  opera- 
ted from  separate  and  independent  power 
sources. 

(4)  Adequate  design  precaution  is  tak- 
en to  eliminate  or  control  electromagnetic 
interference  (EMI)  effects  upon  circuit  com- 
ponents. 

(5)  Shielding  design  complies  with 

MIL-E-605  1. 

(6)  Interference  control  of  the  inte- 
grated system  complies  with  MIL-STD-826. 

(7)  System  is  compatible  and  in  com- 
pliance with  “worst  case”  system  require- 
ments. 

(8)  System  separation  of  the  transmit- 


ter and  receiver  is  such  that  direct  excitation 
of  the  receiving  antenna  cannot  e:  need  10;'  V. 

(9)  Status  displays  are  incorporated  in 

all  system  functions  that  monitor  hazardous 
operations. 

(10)  Compatibility  with  all  relay  links  is 
possible  within  the  allocated  frequency  of  the 
proposed  communication  system  design 

(11) Maximum  continuous  RF  exposure 
of  operational  personal  or  vehicle  crew  mem- 
bers does  not  exceed  10 mW  cm"2. 

A-10  PROTECTION  SYSTEMS 

(1)  Explosive  vapor  detectors  are  speci- 
fied where  explosive  vapors  can  collect. 

(2)  Explosive  vapor  detection  system 
will  trigger  an  alarm  at  20  percent  of  the 
lower  explosive  level. 

(3)  Toxic  vapor  detectors  are  specified 
wherever  toxic  gases  or  vapors  can  enter 
inhabited  areas. 

(4)  Fire  detection  systems  are  specified 
for  all  potential  fire  zones. 

(5)  Smoke  detectors  are  specified  in 
nonventilated  baggage  or  cargo  areas. 

(6)  Ail  possible  design  action  has  been 
taken  to  prevent  false  indication. 

(7 ) Hazard  warning  systems  can  be  re- 
set to  indicate  a hazard  recurrence. 

(8)  Explosive  vapor  detectors  can  op- 
erate in  an  explosive  atmosphere  without 
initiating  an  explosion. 

(9)  Deviation  from  normal  perfonn- 
ance  will  cause  an  explosive  vapor  detection 
system  malfunction  indication. 

(10)  All  detection  systems  are  complete- 
ly compatible  with  the  environment  in  which 
they  must  operate. 

(11)  All  hazard  detection  systems  re- 
ceive power  from  the  essential-equipment  bus- 

(12)  Detector  reaction  time  is  at  its 
absolute  minimum. 

(13)  Provisions  are  made  to  allow  peri- 
odic system  calibration  and  checking. 

(14)  Malfunction  detection  systems 
sense  critical  system  deviations. 

(15)  Critical  instruments  have  positive 
failure  warning, 

(16)  Instrument  fnalfunction  flags  are 
not  used  to  designate  emergency  conditions- 

(17)  All  emergency  conditions  or  mal- 
functions initiate  a warning. 
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(18)  Emergency  conditions  requiring 
immediate  action  initiate  an  audible  warning 
in  addition  to  visual  warning. 

(19)  Audible  warning  is  not  specified  in 
the  communication  system  when  constant 
monitoring  is  not  required. 

(20)  Sound  levels  will  not  interfere  with 
essential  communications. 

(21)  Verbal  audible  warnings  are  clear, 
concise,  intelligible,  and  reflect  calmness  and 
urgency. 

(22)  Audible  warning  ovemde  is  pro- 
vided where  prolonged  warning  will  interfere 
with  effective  corrective  action, 

(23)  Volume  controls  do  not  reduce 
warnings  to  an  inaudible  level. 

(24)  Component  interlocks  are  specified 
whenever  out-of-sequence  operation  can 
create  a system  hazard. 

A-1 1 FIRE  EXTINGUISHING  AND  SUP- 
PRESSION SYSTEM 

(1)  Potential  fire  zones  are  identified. 

(2)  Potential  fire  zones  are  isolated  by 
fire  barriers  or  firewalls. 

(3)  Titanium  is  not  used  structurally 
where  it  may  contact  molten  metal. 

(4)  Firewalls  are  as  liquid-  and  vapor- 
proof  as  possible. 

(5)  Access  doors  have  not  been  in- 
stalled in  firewalls. 

(6)  Firewalls  are  not  stressed  by 
mounted  equipment. 

(7)  Materials  used  on  the  protected 
side  of  firewalls. will  not  bum  as  a result  of 
high  temperature  in  the  fire  zone. 

(8)  Air  ducts  passing  through  fire 
zones  are  fabricated  to  insure  fire  contain- 
ment. 

O)  Air  ducts  originating  in  fire  zones 
can  be  closed  to  stop  airflow. 

(10)  Flammable  fluid  lines  with  flow 
into  or  through  a fire  zone  are  provided  with 
shutoff  valves. 

(11)  Fire  will  have  no  effect  on  the 
operation  of  shutoff  valves  or  control  circuits. 

(12)  Flammable  fluid  lines  in  fire  zones 
are  made  of  stainless  steel  or  equivalent. 

(13)  Flammable  fluid  flexible  hose  will 


withstand  2000"  F when  routed  in  or  near  fire 
zones. 

(14)  Fire  detection  is  specified  for  all 
potential  fire  zones. 

(15)  Fire  extinguishing  systems  are  spe- 
cified for  all  potential  fire  zones.  (Ref.  MIL- 
E-5352.) 

(16)  The  most  effective  extinguishing 
agent  is  specified  consistently  ith  both  safety 
and  design  goals. 

(17)  Toxicity  is  considered  where  it  is 
possible  for  fumes  to  enter  inhabited  areas. 

(18)  Extinguishing  agent  containers  are 
designed  for  maximum  possible  protection 
from  crashloads  or  gunfire. 

( 19)  Extinguishing  agent  containers 
have  safety  relief. 

(20)  Visual  indication  is  provided  that 
safety  relief  has  occurred. 

(21)  Pressure  gages  are  readily  accessible 
for  inspection  and  maintenance. 

(22)  Squib  actuated  discharge  valves  are 
designed  so  that  electrical  connection  cannot 
be  made  unless  the  squib  is  installed. 

(23)  Interfaces  between  control  systems 
and  other  systems  cannot  cause  extinguishing 
system  failure. 

(24)  Redundancy  is  specified  where  in- 
lays are  used  in  the  control  system. 

(25)  Separate  initiation  circuits  and  dual 
squibs  are  provided  for  each  container. 

(26)  Routing  of  control  wiring  does  not 
pass  through  potential  fire  zones  unless  it  can 
withstand  at  least  2000°F  without  system 
degradation. 

(27)  Automatic  explosion-suppressing 
devices  are  considered  wherever  an  explosion 
can  occur  too  swiftly  for  crew  reaction. 

(28)  Suppressing-system  status  is  pro- 
vided to  indicate  system  has  actuated. 

(29)  Flame-proof  containers  or  com- 
partments are  specified  for  storage  of  items 
with  low  ignition  temperature  or  high  flame- 
propagation  rates. 

(30)  Toxic  products  of  combustion  are 
considered  when  cabin  interior  materials  are 
selected . 

(31)  Tests  have  been  specified  to  deter- 
mine if  combustion  products  are  toxic  when 
unknown  or  doubtful. 
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(32)  Electrical  equipment  will  not  pro- 
vide an  ignition  source  when  operating  in  any 
hazardous  atmosphere. 

(33)  Flammable  fluid  line  routing  avoids 
inhabited  areas  or  is  restricted. 

(34)  Complete  fire  hazard  analysis  has 
been  made. 

(35)  Fuel  lines  and  tank  structures  are 
designed  to  contain  fuel  as  much  as  possible 
within  the  system  under  crash-induced  load- 
ings. 

(36)  Fuel  lines  and  tanks  are  protected 
from  penetration  during  a crash  by  mounting 
behind  heavy  structure  and  avoiding  areas 
where  penetration  is  likely. 

(37)  Provisions  are  made  to  deactivate 
systems  that  can  provide  an  ignition  source  on 
crash  impact. 

(38)  Spark -producing  metals  are  not  ex- 
posed to  crash  friction. 

(39)  Flammable  fluid  components  are 
located  where  ground  contact  cannot  occur 
and  where  crash  damage  is  unlikely. 

(40)  All  possible  consideration  is  given 
to  use  of  gelled  or  other  ignition-inhibited 
fuels. 

(41)  Interior  finishes  and  materials  are 
selected  for  inability  to  support  combustion 
and  minimum  toxic  products  of  combustion. 

(42)  Flammable  materials  specified  for 
use  in  an  interior  are  at  a minimum  and  flame 
retardants  are  specified  for  any  flammable 
material  used. 

(43)  Passenger  compartments  are  pro- 
vided with  fire  resistant  storage  compartments 
for  combustible  materials. 

(44)  Eland  fire-extinguishers  are  pro- 
vided. 

(45)  Cargo  areas  have  fire  detectingand 
extinguishing  systems. 

(46)  Ventilation  and  cargo  areas  can  be 
closed  off  during  the  extinguishing  cycle. 

(47)  Lighting  in  cargo  areas  is  protected 
from  damage  and  contact  with  flammables. 

(48)  System  actuation  cannot  be  mis- 
directed to  the  wrong  fire  zone. 

(49)  A single  control  handle  will  shut 
off  flow  of  flammables  and  ignition  sources. 

(50)  Audible  alarm  is  provided  where 
fire  warning  lights  may  go  unnoticed. 

(51)  Audible  alarm  override  is  provided. 

(52)  System  actuating  switches  are  pro- 
tected from  inadvertent  operation. 


A-1 2 CREW  STATION  SYSTEMS 

(1)  Dimensional  allowances  for  safe 
crew  accommodations  and  work  places 
comply  with  the  5th’through  95th  percentile. 

(2)  Surface  colors  properly  depict  the 
appropriate  physical  hazards  by  coding. 

(3)  Shape  and  location  of  emergency 
controls  are  such  that  crew  members  are  able 
to  operate  them  without  visual  reference. 

(4)  Operating  controls  are  designed 
and  located  to  minimize  inadvertent  activa- 
tion. 

(5)  Emergency  controls  are  readily  visi- 
ble and  accessible. 

(6)  Materials  and  finishes  selected  for 
the  crew  stations  are  compatible  with  the  en- 
vironment. 

(7)  Types  and  characteristics  of  audi- 
tory and  warning  devices  are  suitable  for  pro- 
viding the  discrimination  necessary  under  all 
operating  conditions.  Caution  and  advisory 
lights  are  located  outside  the  flight  instrument 
group.  The  brightness  of  the  translucent  areas 
of  light  indicators  is  at  least  1 50  ft-lamberts  in 
the  bright  mode. 

(8)  Displays  are  designed  to  minimize 
reading  errors. 

(9)  Master  caution  and  all  warning 
lights  can  be  dimmed  to  approximately  15 
ft-lamberts  when  instrument  lights  are  on  and 
all  other  lights  dimmed  to  approximately  1.5 
ft-lamberts. 

(10)  Labels  or  placards  are  plainly  legi- 
ble under  both  day  and  night  conditions. 
Warning  and  caution  indicator  fights  are 
readily  visible  to  crew  members  while  at  their 
stations. 

(1  l)Proper  equipment  is  provided  to 
maintain  safe  cabin  temperature  and  airflow 
requirements. 

(12)  Fuel  and  cil  are  prevented  fzcm 
contaminating  the  air  in  the  crew  compart- 
ments. 

(13)  Suitable  decontamination  and  fil- 
tration devices  are  provided. 

(14)  There  is  proper  access  for  the 
removal  and  replacement  of  filters  or  filter 
media. 

(15)  High-pressure,  high-temperature 
bleed  air  ducts  are  located  to  prevent  over- 
heating of  walls  and  compartments  and  the 
bypass  areas  containing  combustible  fluids. 
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(16)  Check  valves,  shutoff  valves,  and 
other  devices  are  provided  for  sealing  off  or 
regulating  pressurized  compartments. 

(17)  Insulation  of  the  ducts  is  located 
properly  and  made  of  materials  to  prevent 
heat  loss  and  contact  with,  or  absorption  of, 
combustible  fluids. 

(18)  Range  of  temperatures  in  the  crew 
compartment  complies  with  the  thermal  com- 
fort zone  and  specified  exposure  times  for 
heat  and  cold. 

(19)  There  are  emergency  provisions  for 
assisted  or  unassisted  escape  from  the  crew 
compartment. 

(20)  Crew  personnel  are  provided  with 
an  unimpeded  path  out  of,  and  away  from, 
the  vehicle. 

(21)  Emergency  lighting  is  incorporated 
in  the  crew  compartment. 

(22)  Safety  belts,  harnesses,  and  straps 
are  provided. 

(23)  Crew  and  their  personal  equipment 
are  protected  from  thermal  radiation  caused 
by  the  explosion  of  nuclear  weapons,  includ- 
ing eye  protection  against  flashblindness. 

(24)  Alarms  and  warning  signs  are  de- 
signed, installed,  and  located  so  that  they  can 
be  heard  or  read  directly  by  crew  members. 

(25)  Fire  and  overheat  systems  are  de- 
signed and  located  to  alert  crew  members  of 
such  conditions. 

(26)  Portable  fire  extinguishers  are  de- 
signed and  mounted  in  locations  where  they 
are  readily  usable  by  crew  members. 

(27)  Circuit  overload  protection  devices 
are  adequate. 

(28)  Interconnecting  wires  and  cables 
are  secured  and  protected  to  avoid  inadvert- 
ent contact  or  wire  chafing, 

(29)  Equipment  cooling  ducts  and  the 
equipment  are  located  to  provide  adequate 
cooling  of  hot  spots. 

(30)  Equipment  is  sufficiently  accessible 
for  manual  fire  extinguisher  utilization. 

(31)  If  a bipropellant  is  used,  the  oxi- 
dizer and  fuel  components  are  separated  as  far 
as  possible. 

(32)  There  are  propellant  shutoff  and 
fuel  jettison  valves. 

(33)  Electrical  wires,  cables,  and  heat- 
producing  equipment  are  isolated  from  the 
propellant  components. 


(34)  All  electrically  operated  motors, 
valves,  solenoids,  relays,  etc.,  are  of  approved 
explosion-proof  type. 

(35)  All  materials  used  within  the  pres- 
surized compartments  are  fire  resistant.  Inter- 
ior materials  do  not  generate  toxic  and 
noxious  gases  when  exposed  to  heat  and 
flame. 

(36)  Electrical  and  heatproducing  items 
are  separated  from  oxygen  systems. 

(37)  A complete  fire  detection  and  ex- 
tinguishing system  is  built  into  the  vehicle. 

(38)  Fire  extinguishing  agents  are  com- 
patible with  the  vehicle  structure  and  environ- 
mental control  systems. 

(39)  Environmental  control  system  is 
equipped  with  filters  for  noxious  gas  and 
noxious  gas  neutralizing  systems. 

(40)  If  a toxic  propellant  is  used,  the 
lines  and  connections  associated  with  it  are 
routed  outside  the  crew  compartment. 

(4 1 ) Pressurized  compartment  is  sealed 
off  from  components  that  could  generate 
toxic  gas. 

(42)  Pressurized  compartments  are  capa- 
ble of  being  vented  and  purged  to  remove 
toxie  gas. 

(43)  A complete  toxic  gas  warning 
system,  is  installed  in  the  vehicle. 

(44)  Interior  is  free  from  sharp  objects 
that  could  cause  crew  injury. 

(45)  All  protrusions  are  removed,  pad- 
ded, labeled,  or  otherwise  shielded. 

(46)  All  electrical  systems  are  labeled, 
interlocked,  isolated,  or  otherwise  designed  to 
minimize  electrical  shock. 

(47)  Adequate  provisions  for  the  stor- 
age, protection,  and  accessibility  of  equip- 
ment and  supplies  are  provided. 

(48)  Electrical  power  supply  is  redun- 
dant. 

(49)  An  alternate  power  source  is  avail- 
able for  environmental  control  system  opera- 
tkns.  If  not,  insure  that  a stand-by  or  emer- 
gency environmental  control  system  is  avail- 
able. 

(50)  Emergency  power  is  supplied  from 
a separate  source  and  from  an  independent 
power  bus. 

(5 1)  Vehicle  pressure  vail  is  designed  so 
that  proper  quality  control  and  testing  pro- 
cedures will  ascertain  pressure  reliability. 
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(52)  Crack  propagation  is  limited. 

(53)  Faulty  seals  can  bo  detected. 

(54)  Where  wear  or  damage  can  occur, 
double  seals  are  used. 

(55)  Seals  or  sealing  devices  are  designed 
so  that  replacement  or  emergency  repairs  can 
be  made. 

(56)  Shielding  is  provided  adjacent  to 
equipment  that  could  structurally  fail  and 
puncture  the  cabin  wall. 

(57)  Delicate  components  are  located 
where  they  will  not  be  damaged  while  the 
unit  is  being  worked  on. 

(58)  Internal  controls,  such  as  switches 
and  adjustment  screws,  are  not  located  close 
to  dangerous  voltages. 

(59)  Components  that  retain  heat  or 
electrical  potential  after  the  equipment  is 
turned  off  are  not  located  where  maintenance 
personnel  may  touch  them  inadvertently 
upon  opening  the  equipment. 

(60)  Irregular  protrusions  such  as  cables, 
wave  guides,  and  hoses  are  easily  removable  to 
prevent  damage  during  maintenance. 

(61)  Rests  or  stands  are  provided  on 
which  units  can  be  set  to  prevent  damage  to 
delicate  parts.  Rests  or  stands  are  designed  as 
a part  of  the  basic  chassis. 

(62)  Fold-out  construction  is  provided 
for  units  wherever  feasible,  and  parts  and  wir- 
ing are  arranged  so  that  they  are  not  damaged 
when  the  assembly  is  opened  or  closed. 

(63)  Covers  and  cases  are  sufficiently 
larger  than  the  units  they  enclose  to  preclude 
damage  to  wires  and  other  components  when 
the  cases  are  removed  or  replaced. 

(64)  Comers  and  edges  of  covers  and 
cases  are  rounded  for  safety  while  handling. 

(65)  Ventilation  holes  in  covers  are 
small  enough  to  preclude  inadvertent  inser- 
tion of  any  object  that  might  touch  high- 
voltage  sources  or  moving  parts. 

(66)  Flandles  are  shaped  so  that  they  do 
not  cut  into  the  hand  of  the  holder. 

(67)  Guards  or  other  protection  arc  pro- 
vided for  easily  damaged  conductors  such  as 
high-frequency  cables  or  insulated  high- 
voltage  cables. 

(68)  Plugs  with  a self-locking  safety 
catch  are  used  in  preference  to  plugs  that 
must  be  safety-wired. 

(69)  Internal  fillets  that  might  injure  the 


hands  or  arms  of  maintenance  personnel  are 
provided  with  rubber,  fiber,  or  plastic  shield- 
ing on  the  edges. 

(70)  On  accesses, that  lead  to  equipment 
with  high  voltages,  safety  interlocks  are  pro- 
vided that  deenergize  the  circuit  when  the 
access  panel  is  opened.  If  maintenance  is 
required  on  equipment  with  circuits  ener- 
gized, insure  that  a -‘cheater”  switch  is  pro- 
vided that  bypasses  the  interlock  and  that 
automatically  resets  when  the  access  panel  is 
closed. 

(71)  Warning  labels  are  provided  on  all 
access  panels  leading  to  high  voltage  or 
moving  parts. 

A-13  ORDNANCE  AND  EXPLOSIVE 
SYSTEMS 

(1)  Sensitivity,  shattering  effect,  and 
power  of  the  explosive  are  evaluated  fully  for 
each  application. 

(2)  Degree  of  sensitivity  of  the  initi- 
ator is  evaluated  fully  for  each  application. 

( 3 ) Materials  are  without  dangerous  de- 
fects, and  will  resist  changes  due  to  aging. 

(4)  Degree  of  confinement  of  the 
device  is  evaluated  fully  for  each  application. 
Explosive  energy  release  is  more  hazardous  in 
areas  of  closer  confinement. 

(5)  Items  with  critical  manufacturing 
tolerances  are  avoided  where  possible  since 
such  items  are  more  susceptible  to  accidental 
ignition. 

(6)  Termination  interruptions  in  the 
firing  circuit  are  held  to  the  absolute  mini- 
mum. 

(7)  Maximum  protection  from  inad- 
vertent operation  is  provided  by  proper  cir- 
cuit design  and  use  of  safe/arm  devices. 

(8)  The  most  electrically  or  mechani- 
cally insensitive  device  commensurate  with 
the  application  is  used. 

(9)  Specifications  for  storage  comply 
with  existing  regulations  and  requirements. 

(1 0)  Specifications  for  storage  do  not 
permit  the  use  of  static  electricity  genera- 
tors—such  as  plastic  sheets,  wraps,  and  cov- 
ers—in  any  part  a£  the  packing  and  storage 
process. 

(11) Test  and  evaluation  are  carried  out 
properly  through  detailed  test  specifications 
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showing  test  objectives,  methods,  equipment, 
personnel,  and  special  precautions  necessary 
as  determined  by  the  design. 

(12)  The  insulation  for  ordnance  firing 
circuits  possesses  the  optimum  dielectric  char- 
acteristics for  the  design  environment. 

(13)  Shielding  to  protect  the  squib  and 
firing  circuits  from  stray  voltage  is  evaluated 
properly  and  optimized  for  each  design. 

(14)  Ordnance  circuits  are  routed  with 
minimum  exposure  to  physical  damage  and 
potential  electrical  ignition  sources, 

(15)  Ordnance  control  circuit  design  is 
compatible  with  the  vehicle  shock  and  vibra- 
tion environment. 

(16)  Ordnance  devices  and  the  firing  cir- 
cuits have  been  reviewed  separately  and  as  an 
integrated  system,  giving  strong  emphasis  to 
subsystem  interfaces. 

(17)  Applicable  range  safety  manuals 
have  been  reviewed  for  ordnance  system  per- 
formance requirements  prior  to  design  selec- 
tion. 

(18)  A hazard  analysis  is  conducted  on 
all  ordnance  systems  to  evaluate  their  hazard 
potential.  A hazard  analysis  is  conducted  on 
all  liquid -propellant  and  solid-propellant 
systems  to  an  acceptable  hazard  level  of 
operation. 

(19)  Hazard  analysis  has  identified  all 
potential  modes  of  vehicle  failure  and  has  in- 
dicated design  approaches,  corrections,  or 


recommendations  to  minimize  the  level  of  the 
indicated  hazard. 

(20)  Design  has  been  corrected  in  ac- 
cordance with  the  findings  of  the  hazard  anal- 
ysis consistent  with  program  objectives. 

(21)  All  hazards  have  been  evaluated 
either  by  experiment  or  empirical  knowledge. 

(22)  Effectiveness  and  necessity  of  an 
explosion  suppression  and  inerting  system 
have  been  evaluated. 

(23)  All  ignition  sources  are  identified 
and  corrective  measures  are  taken  to  reduce 
the  probability  of  their  contribution  as  an 
explosion  source. 

(24)  Design  requirements  subject  a mini- 
mum of  personnel  to  the  acceptable  hazard 
level  determined  by  the  system  hazard  analy- 
sis. 

(25)  Fuze/safing-arming  mechanism  has 
at  least  two  independent  safing  features,  any 
one  of  winch  can  prevent  an  unintended 
detonation.  Each  is  activated  by  a different 
environmental  input.  At  least  one  feature 
includes  an  arming  delay  adequate  to  spare 
the  user  from  injury  in  case  of  premature 
functioning  of  the  system.  The  item  is  fail- 
safe when  all  safing  features  are  subverted. 

(26)  Detonation  of  any  primer  or  deton- 
ator in  a fuze/safing-arming  mechanism  that  is 
in  the  safe  condition  will  be  physically  barred 
from  causing  further  functioning  of  the  explo- 
sive train . 
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B-1  INTRODUCTION 

In  recent  years,  a targe  number  of  reliabil- 
ity information  centers  and  data  banks  have 
been  established.  These  data  banks  provide 
information  in  a variety  of  formats  useful  to 
reliability  engineers.  Advances  in  the  field  of 
computer  storage  and  retrieval,  microfilming, 
microfiche  techniques,  and  other  processes 
have  made  it  possible  to  store  and  retrieve 
large  quantities  of  information.  Information 
retrieval  techniques  have  been  developed 
which  permit  the  engineer  to  retrieve  stored 
data  and  perform  statistical  evaluations. 

The  accumulation  of  numerical  reliabil- 
ity data  has  been  aided  technically  and 
economically  by  the  use  of  computers.  Most 
of  the  early  data  banks  were  established  to 
provide  the  designer  with  the  information  he 
needed  for  a specific  system  development. 
The  more  recent  programs  are  broader  in 
scope  and  have  made  some  efforts  to  allevi- 
ate some  of  the  shortcomings  of  their  prede- 
cessors. Some  early  programs  have  been 
combined  with  others  or  eliminated. 

Ref.  4 is  a comprehensive  listing  of  Reli- 
ability and  Maintainability  sources  associated 
with  the  Air  Force.  Three  major  data  banks 
are  described  in  pars.  B-2,  B-3,  and  B-4. 
Some  of  the  special  circumstances  that  the 
designer  must  consider  in  using  data  bank 
information  are  .discussed  in  par.  B-5.  A 
partial  listing  cf  data  banks  is  presented  in 
par.  B-6. 

B-2  GIDEP,  GOVERNMENT-INDUSTRY 

DATA  EXCHANGE  PROGRAM 

B-2.1  INTRODUCTION 

The  Government-Industry  Data  Ex- 
change Program  (GIDEP)  was  originated  in 
1959  by  the  Army,  Navy,  and  Air  Force 
Ballistic  Missile  Agencies.  Known  at  that 
time  as  ID EP— Interservice  Data  Exchange 
Program— its  intent  vas  to  eliminate  dupli- 
cate testing  of  parts  and  components  by  dis- 
seminating pertinent  test  data  among  Depart- 
ment of  Defense  contractors  and  various 


Government  agencies,  The  Navy7  FARADA 
program  also  has  "been  integrated  into 
GIDEP. 

In  1966,  both  the  National  Aeronautics 
and  Space  Administration  and  the  Canadian' 
Military  E lec tropics  Standards  Agency 
(CAMESA)  recognized  the  value  of  the  data 
provided  by  the  program  and  became  partici- 
pants. Today,  GIDEP  provides  the  inter- 
change of  reliability  data  to  all  the  military 
services,  participating  Government  con- 
tractors, and  numerous  Government  agencies 
such  as  the  Energy  Research  and  Develop- 
ment Administration,  Federal  Aviation  Ad- 
ministration, Defense  Supply  Agency,  and  the 
Small  Business  Administration. 

GIDEP  operates  under  a charter  agreed 
upon  by  the  Army  and  Navy  Materiel  Com- 
mands, the  Air  Force  Systems  and  Logistics 
Commands,  and  NASA.  The  Program  Man- 
ager, organizationally  located  within  the 
Department  of  the  Navy,  is  responsible  for 
policies  and  procedures,  both  national  and 
international.  The  GIDEP  Administration 
Office  located  at  FMSAEG,  Corona.  Califor- 
nia, is  the  operational  am  of  the  program. 
Working  directly  under,  and  responsible  to, 
the  Program  Manager,  the  Administration 
Office  maintains  the  GIDEP  data  banks  and  is 
responsible  for  all  operational  phases  cf  the 
program.  The  GLDEP  management  team  in- 
cludes Government  and  Industry  advisory 
groups. 

Availability  of  a microfilm  reader-printer 
is  the  only  equipment  requirement  for  the 
frequent  GIDEP  data  user.  Participants  are 
not  subject  to  fees  or  assessments  of  any 
kind,  nor  is  there  any  payment  for  contribq- 
tions  of  data.  Participation  at  contractor 
facilities  usually  is  considered  part  of  the 
normal  reliability  or  quality  assurance  pro- 
gram. However,  with  the  recent  issuance  cf 
Regulations  by  the  Military  Services  and 
NASA,  participation  is  now  becoming  a 
mandatory  requirement. 

The  objectives  of  the  GIDEP  program 
are  to: 
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1.  Reduce  or  eliminate  duplicate  ex- 
penditures for  development  parts  and  com- 
ponents 

2.  Increase  the  confidence  level  in  the 
reliability  of  systems  using  these  parts  and 
components 

3.  Expedite  research  and  development 
projects  by  avoiding  repetition  of  tests  pre- 
viously accomplished 

4.  Assist  in  the  preparation  of  more 
realistic  proposals 

5.  Standardize  procedures  for  reporting 
test  information 

6.  Encourage  direct  intercontractor 
communications  among  technical  personnel 
working  on  related  projects 

7.  Generate  information  for  an  alter- 
nate source  of  parts  through  more  depend- 
able data 

8.  Create  a general  source  for  test  data 

9.  Provide  for  the  exchange  of  test 
equipment  calibration  procedures  and  related 
metrology  data. 

This  description  has  been  adapted  from  Ref. 

3. 

B-2.2  FUNCTIONS 

GIDEP  data  are  contained  in  four  sep- 
arate information  banks:  the  Engineering 
Data  Bank,  the  Failure  Experience  Data 
Bank,  the  Failure  Rate  Data  Bank,  and  the 
Metrology  Data  Bank.  No  classified  or  com- 
pany proprietary  information  is  included. 

B-2.2.1  Engineering  Data  Bank 

The  Engineering  Data  Bank  contains  pri- 
marily.. laboratory  data  relating  to  parts, 
components,  and  materials.  These  data  cover 
Qualification  and  Environmental  Testing,  Re- 
search and  Development,  Evaluation  Re- 
ports, and  other  meaningful  engineering  data 
such  as  nonstandard  part  justification,  test 
planning,  and  manufacturing  processes. 

B-2.2.2  Failure  Experience  Data  Bank 

The  Failure  Experience  Data  Bank  con- 
tains failure  experience  data;  failure  analysis 
reports  from  the  field,  laboratory,  and  pro- 
duction; and  information  from  a pilot  effort 


for  a Defective  Parts  and  Components  Con- 
trol Program  (DPCCP),  which  includes  fail- 
ure analysis  data  by  component  types  de- 
rived from  an  operation  and  maintenance 
level.  The  function  of  the  DPCCP  is  to 
identify  and  eliminate  or  control  defective 
parts.  Methodology  includes  both  the  avoid- 
ance of  specifying  suspect  parts  in  new 
designs  and  the  purging  of  these  suspect 
parts  from  current  Government  inventory  if 
required. 

Part  of  the  Failure  Experience  Data 
Bank  is  an  important  function  known  as  the 
ALERT  system.  The  ALERT  is  a highly 
effective  means  of  rapidly  providing  all  parti- 
cipants with  information  concerning  an  ac- 
tual or  potential  problem  involving  a part, 
material,  test  equipment,  process,  or  safety 
hazard.  Any  participant  who  finds  a situa- 
tion that  he  feels  to  be  of  general  concern 
to  other  participants,  fills  out  an  ALERT 
form.  The  ALERT  form  is  submitted  to  the 
Administration  Office  where  it  is  reviewed 
and  distributed  to  all  participants  as  an 
ALERT.  Generally,  this  process  is  completed 
within  24  hr.  The  ALERT  system  may  be 
used  for  any  type  of  pertinent  information 
relating  to  any  of  the  data  banks.  It  is  issued 
to  identify  such  items  as  faulty  design, 
faulty  test  equipment  or  calibration  proce- 
dures, or  other  production  and  processing 
problems. 

B-2.2. 3 Failure  Rate  Data  Bank  (FARADA) 

The  Failure  Rate  Data  Bank  contains 
field  performance  data  relating  to  parts  and 
components.  Detailed  information  concerning 
failure  rates,  stress  levels,  mean  time  to  repair, 
level  of  test  specification,  failure  mode,  test 
environment,  and  other  pertinent  information 
is  contained  in  the  Failure  Rate  Data  Bank. 
The  FARADA  program — which  collected  field 
experience  and  reliability  demonstration  test 
data  for  use  in  Reliability  Prediction,  Spares 
Provisioning  and  Logistics  Support  studies— 
has  been  integrated  into  GIDEP  as  of  July 
1973 . This  has  enlarged  the  GIDEP  data  bank 
and  provides  a broader  range  of  participating 
organizations.  It  also  provides  parts  and  com- 
ponents performance  data  obtained  under 
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actual  field  operational  conditions,  so  that 
correlation  studies  can  be  made  to  compare 
laboratory  tests  with  field  experience. 

B-2.2.4  Metrology  Data  Bank 

The  Metrology  Data  Bank  contains  Cali- 
bration procedures  and  general  infomation 
on  test  equipment.  Calibration  procedures 
prepared  by  both  the  military  and  industry, 
covering  most  electrical  and  mechanical  test 
equipment,  are  available  to  participants. 
Under  a program  called  SETE  (Secretariat 
for  Electronic  Test  Equipment),  which  is 
aligned  with  GIDEP,  other  types  of  informa- 
tion such  as  test  equipment  evaluation  re- 
ports are  available.  These  reports  greatly  in- 
fluence reliability  improvement  in  test  equip- 
ments and  instrumentation.  Groups  con- 
cerned with  the  measurement  of  physical 
and  electrical  attributes,  or  development  of 
measurement  standards  and  instrumentation, 
are  primary  users  of  this  data  bank. 

The  International  Reliability  Data  Ex- 
change with  the  EXACT  program  is  head- 
quartered in  Sweden.  Functioning  at  an  inter- 
national level,  EXACT  provides  for  the  ex- 
change of  reliability  test  data  with  a dozen 
foreign  countries.  GIDEP  provides  test  reports 
to  EXACT  which  document  successful  qualifi- 
cation and  evaluation  laboratory  tests  on 
parts  and  materials.  The  increasing  use  of 
foreign-made  parts  in  our  military  systems 
makes  availability  of  information  on  those 
materials  of  obvious  value.  EXACT  provides 
for  data  exchange  among  all  member  coun- 
tries. 

B-2.3  OPERATJONS 

The  GIDEP  program  operates  as  a self- 
regenerating, closed-loop  system.  Engineer- 
ing, Failure  Experience,  Failure  Rate,  and 
Metrology  data  are  submitted  by  Government 
or  industry  participants  to  the  Administration 
Office  for  inclusion  into  the  GIDEP  Data 
Banks.  When  a GIDEP  Representative  submits 
data  to  the  Administration  Office,  he  assigns 
it  a 9-digit  generic  index  code.  The  first  3 
digits  of  the  code  define  the  major  part  classi- 
fication, such  as:  transformer  or  antenna. 
The  last  3 pairs  of  digits  provide  relative  levels 


of  detail  information  covering  such  areas  as 
function,  application,  construction,  and  even 
detailed  data  such  as  pressure  range,  working 
voltage,  power  rating,  and  frequency  range- 
The  codes  for  indexing  GIDEP  data  are  con- 
tained in  the  GIDEP  Policies  and  Procedures 
Manual  (Ref.  1). 

Once  data  have  been  screened  and  in- 
dexed, the  index  -k  placed  in  the  GIDEP 
computer,  and  the  full  report  is  placed  in 
microfilm  cartridges  that  are  distributed 
along  with  a hard  copy  index  biweekly  to  all 
participants.  The  Administration  Office  dis- 
tributes a complete  updated  index  to  all 
participants  annually.  Participants  may  re- 
quest a computer  index  search  and  copies  of 
reports  directly  from  the  Administration 
Office,  or  they,  through  a terminal,  address 
any  of  the  four  GIDEP  data  banks  individu- 
ally or  collectively.  The  user  can  enter  a 
year  date  to  restrict  his  data  search  to  rela- 
tively current  information,  or  he  can  run  an 
entire  historical  search  of  all  data  in  a parti- 
cular area. 

The  GIDEP  computer  is  programmed  so 
a participant  can  initiate  a search  using  any 
of  several  approaches.  The  computer  can  be 
addressed  to  search  by  GIDEP  generic  code, 
manufacturer's  part  number,  key  work,  in- 
dustry standard  part  number,  environmental 
code,  or  any  other  fields  contained  in  the 
data  banks.  Once  information  is  located,  the 
computer  provides  the  participant  with  a 
microfilm  reel  and  access  number  in  addition 
to  a report  number.  All  participants  are  pro- 
vided with  microfilm  indexes.  Thus,  if  a 
participant  does  not  maintain  microfilm 
records,  he  can  request  copies  of  specific 
reports  or  the  loan  of  a microfilm  reel  from 
the  Administration  Office. 

If  an  index  and  computer  search  fails  to 
identify  participant-required  data  in  the 
GIDEP  Data  Banks,  the  user  can  initiate  an 
Urgent  Data  Request  (UDR).  One  of  the 
most  powerful  tools  of  the  GIDEP  program, 
the  Urgent  Data  Request  is  a means  by 
which  a participant  submits  an  informal  re- 
quest to  all  other  participants  for  infonna- 
tion  on  a specific  part,  component,  material, 
or  test  instrument.  The  GIDEP  Administra- 
tion Office,  upon  receipt  of  the  UDR,  repro- 
duces the  form  and  *promptly  distributes  it 
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to  all  participants.  When  a participant  finds 
information  pertaining  to  the  particular 
problem,  he  forwards  the  information  dir- 
ectly to  the  requestor. 

One  of  the  key  people  in  the  GIDEP 
program  is  the  GIDEP  Representative.  As- 
signed by  each  new  participant  from  its  in- 
house  staff,  his  responsibility  is  to  determine 
who  in  his  organization  (l)can  use  and  (2) 
will  generate  GIDEP  data.  He,  more  than 
any  other  person  in  the  program,  directly 
influences  his  company’s  success  or  failure 
within  the  scope  of  the  GIDEP  program 
(Ref.  2). 

B-2.4  COST  SAVINGS 

The  GIDEP  program  provides  partic- 
ipants with  the  vehicle  to  maintain  and 
improve  the  reliability  of  their  product  and 
simultaneously  minimize  research  time  and 
eliminate  duplicate  testing  of  parts,  compo- 
nents, and  materials.  The  program,  properly 
implemented  and  utilized,  produces  impres- 
sive cost  effectiveness.  In  1966  when  the 
program  was  relatively  new,  the  documented 
cost  savings  to  participants,  both  Govern- 
ment and  industry,  was  $5  million.  In  1973 
the  GIDEP  program  has  a cost  savings  over 
$10  million. 

See  par.  B-6.1  for  contact  for  further  in- 
formation. 

B-3  RELIABILITY  ANALYSIS  CENTER-A 
DOD  ELECTRONICS  INFORMATION 
CENTER 

-The  Reliability  Analysis  Center  is  a 
formal  Department  of  Defense  Information 
Analysis  Center  providing  technical  and  in- 
formation analysis  services  relating  to  semi- 
conductor and  passive  electronic  compo- 
nents. The  overall  objective  of  the  Reliabil- 
ity Analysis  Center  is  to  aid  Government 
and  contractor  engineers  in  improving  the 
reliability  of  military  and  space  electronic 
systems  and  equipments.  The  Reliability 
Analysis  Center  provides  users  with  faster 
and  more  effective  methods  of  achieving 
important  product  reliability  improvement. 
This  is  accomplished  through  ready  access  to 
factual  failure  and  reliability  data  on  all 


component  technologies,  more  effective  de- 
vice procurement  and  quality  assurance  prac- 
tices, and  elimination  of  redundant  testing 
programs. 

The  Reliability  Analysis*  Center  analyzes 
and  disseminates  information  that  is  gener- 
ated during  all  phases  of  device  fabrication, 
testing,  equipment  assembly,  and  operation, 
The  Reliability  Analysis  Center  maintains  a 
comprehensive  data  base  That  continually  is 
updated  by  the  latest  information  generated 
by  Government  agencies,  independent  R&D 
laboratories,  device  and  equipment  manu- 
facturers, system  contractors,  and  field  oper- 
ations. Collection  efforts  concentrate  on  fail- 
ure mode  and  mechanism  analysis;  material, 
device,  and  process  technology;  quality 
assurance  and  reliability  practices;  test  re- 
sults; and  application  experience. 

A major  feature  of  the  center  is  its  analy- 
sis capability.  Information  that  is  processed 
into  its  files  is  classified  according  to  generic 
descriptors  that  encompass  material,  design, 
and  process  control  characteristics.  Correla- 
tion studies— which  isolate  dependencies  and 
interrelationships  among  device  properties, 
operating  environments,  and  failure  inci- 
dence-can be  extended  to  new  situations, 
new  devices,  and  new  applications. 

The  Reliability  Analysis  Center  offers 
four  basic  services: 

1.  Publication  of  reliability  data  com- 
pilations, technical  reports,  handbooks,  and 
related  reference  documents 

2.  Rapid  information  searches  and  re- 
ferrals in  response  to  direct  user  inquiry 

3.  Consulting  services  and  in-depth 
studies 

4.  Maintenance  and  updating  of  the 
microcircuit  portion  of  MIL-HDBK-217B. 

The  Reliability  Analysis  Center  publishes 
and  periodically  updates  several  unique  data 
compilations  that  report  failure  rates,  envi- 
ronmental stress  susceptibility,  and  part  mal- 
function history.  These  publications  assem- 
ble results  cf  recent  laboratory  tests,  factory 
checkout,  and  field  operations  into  conveni- 
ent form  for  direct  application  to  the  users’ 
initial  reliability  control  tasks.  These  data 
are  compiled  in  two  forms:  (l)by  part  type 
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number  and  manufacturer  and,  (2)  by  physi- 
cal (generic)  part  characteristics.  Data  anal- 
ysis and  related  information  concerning 
process  control,  quality  assurance  proce- 
dures, procurement  practices,  etc.,  are  com- 
piled in  state-of-the-art  reports  and  hand- 
books as  the  need  arises. 

Although  fully  prepared  to  perform  lit- 
erature search  and  referral  services,  the  Reli- 
ability Analysis  Center  staff  can  contribute 
most  directly  to  the  solution  of  reliability 
problems  through  unbiased  technical  assess- 
ments and  in-depth  studies  of  its  accumu- 
lated resources  in  response  to  user  needs. 
The  Reliability  Analysis  Center  staff  is 
augmented  in  the  conduct  of  these  studies 
by  the  RADC  professional  reliability  staff 
who  have  reliability  competence  in  both 
component  and  system  areas  and  serve  as 
the  center  of  reliability  expertise  for  the  Air 
Force.  Typical  areas  for  consulting  are:  data 
analysis,  failure  problem  investigation,  reli- 
ability assessment  and  predictions,  test  aiid 
specification  development,  and  indepth  data 
and  technical  surveys. 

The  Reliability  Analysis  Center  services 
are  available  without  restriction  to  Govern- 
ment agencies  and  contractors.  As  a DOD 
Information  Analysis  Center,  the  Reliability 
Analysis  Center  is  required  to  charge  all 
users  an  equitable  amount  for  the  service 
provided.  See  par.  B-6.2  for  the  contact  for 
further  information. 

8-4  ARMY  SYSTEMS 

B4.1  THE  ARMY  EQUIPMENT  RECORD 
SYSTEM  (TAERS) 

Information  on  TAERS  is  included— de- 
spite being  replaced  by  TAMMS  in 
1969 — because  historical  abstracts  from  the 
TAERS  files  generated  between  1965  and 
1969  are  included  in  the  TAMMS  file. 

TAERS  was  part  of  a program  instituted 
by  the  Army  to  collect,  analyze,  and  make 
use  of  information  concerning  Army  mate- 
riel. The  data  handled  were  basically  mainte- 
nance oriented,  rather  than  reliability  ori- 
ented—i.e.,  maintenance  and  management, 
part  repairs  and  replacement  frequency, 
maintenance  resources,  and  manpower 


requirements.  The  system  collected  and 
processed  data  to  provide  the  maintenance 
management  information  required  by  field 
commanders  and  managers  in  the  following 
areas: 

1.  Equipment  status  and  materiel  readi- 
ness 

2.  Effectiveness  of  maintenance  opera- 
tions 

3.  Adequacy  of  resources 

4.  Support  requirements. 

The  processed  data  were  examined  dur- 
ing the  programming  to  indicate  what  equip- 
ment was  failing,  why  it  was  failing,  how 
often  the  failure  was  occurring,  and  the 
amount  of  time  required  for  repairs.  The 
results  of  the  analysis  provided  statistical 
forecasts  for  planning  purposes. 

B-4.2  THE  ARMY  MAINTENANCE  MAN- 
AGEMENT SYSTEM  (TAMMS)  IN- 
CLUDING SAMPLE  DATA  COL- 
LECTION 

The  equipment  record  procedures 
known  as  TAMMS— which  replaced  TAERS 
in  1969— are  used  for  control,  operation,  and 
maintenance  of  selected  Army  materiel. 

The  system  is  applicable  to: 

1.  Equipment  improvement  recom- 
mendations 

2.  Recording  and  mandatory  reporting 
of  all  modification  work  order  requirements 
and  accomplishments 

3.  Recording  essential  information  to 
be  used  for  evaluation  of  materiel  readiness 

4.  Recording  and  reporting  of  failure 
data  for  design  of  new  equipment,  redesign 
of  standard  equipment,  and  product  im- 
provement 

5.  Collection  of  inventory,  operational, 
and/or  maintenance  data  on  special  onetime 
studies  or  projects.  (In  cases  where  the  forms 
and  procedures  do  not  fully  meet  the  require- 
ments of  such  studies,  approval  for  deviation 
must  be  obtained  from  Headquarters,  Depart- 
ment of  the  Army.) 

6.  The  periodic  application  by  the  De- 
partment of  the  Army  of  a sampling  tech- 
nique to  obtain  specific  organizational  main- 
tenance action  data  from  units  located  in  a 
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specific  geographic  area.  (This  sampling  will 
include  only  specific  type/model/series  of 
equipments  for  a limited  time  period.) 

The  exceptions  to  the  application  of  the 
maintenance  management  system  procedures 
are: 

1.  Installed  equipment  to  provide  util- 
ity services  such  as  gas,  steam,  and  water 

2.  Industrial  production  equipment 

3.  Locally  purchased  nonstock- 
numbered,  nonstandard  (nontype-classified) 
equipment,  other  than  commercial  vehicles 

4.  Equipment  procured  with  nonappro- 
priated  funds. 

Raw  data  generated  at  the  user  and  sup- 
port maintenance  levels  are  entered  onto 
prescribed  forms.  Commanders  at  the  field 
level  process  data  relating  to  expenditure  of 
maintenance  resources  and  materiel  readiness 
indicators,  and  forward  selected  maintenance 
data  to  a national  level  data  bank.  Analyses, 
summaries,  and  reports  subsequently  are 
furnished  to  the  national  level  materiel  man- 
agers for  their  use  in  improving  the  materiel 
readiness  condition  of  Army  materiel  in  the 
hands  of  the  user. 

The  basic  data  in  the  system  represent 
day-today  experience  of  using  organizations 
in  operating  and  maintaining  materiel.  Data 
are  recorded  on  assemblies,  end  items,  and 
systems.  Reduced  data  provide  quantitative 
information  such  as: 

1.  Materiel  reliability,  maintainability, 
and  availability 

2.  Scheduled  and  unscheduled  mainte- 
nance requirements 

3.  Repair  part  consumption 

4.  Utilization  rates  for  personnel,  ma- 
teriel, and  facilities. 

Typical  uses  of  the  reduced  data  are  to 
validate  maintenance  engineering  analysis 
predictions,  identify  problems  with  regard  to 
current  support  .resources,  forecast  resource 
requirements,  and  to  detect  trends  that  indi- 
cate a need  for  materiel  modification,  or 
that  materiel  is  nearing  the  end  of  its  useful 
life.  Additionally,  the  data  are  used  to  evalu- 
ate new  materiel  concepts  and  designs,  and 
to  estimate  life  cycle  support  costs  for  new 
materiel.  TAMMS  provides  little  data  useful 


for  engineering  applications  other  than  ex- 
ception failure  data  through  the  Equipment 
Improvement  Recommendations  (EIR).  The 
EIR’s  provide  indicators  of  field  problems 
that  the  user  feels  merit  national  attention 
or  a response  to  his  specific'problem.  Each 
EIR  provides  only  a narrative  description 
with  little  if  any  quantitative  data. 

B-5  PRECAUTIONS  IN  US€ 

Historical  data  on  components,  equip- 
ments, and  systems  can  be  applied  to  aid  the 
design  of  new  equipment  or  systems.  Reli- 
ability requirements  have  become  quite  pre- 
cise and  are  included  in  system  contracts. 
Therefore,  designers  require  data  that  are 
statistically  valid,  have  been  analyzed  thor- 
oughly, and  are  promptly  available.  The 
degrees  to  which  these  objectives  have  been 
achieved  differ  for  various  data  banks. 

The  designer  needs  specific  data— such  as 
the  failure  rates  in  specific  environments 
and/or  stresses,  preconditioning  or  screening 
procedures  applied  to  the  parts,  and  similar 
details.  He  also  needs  reliability  data  that 
have  been  collected,  analyzed,  stored,  and 
disseminated  in  a form  that  is  useful  in  the 
conceptual  and  design  stage  phases.  Until 
such  time  as  a reliability  data  bank  that 
satisfies  completely  the  needs  of  the  designer 
is  developed  and  made  operational,  he  must 
proceed  with  caution  in  using  the  data  now 
available  to  him. 

There  are  several  basic  difficulties  with 
any  data  bank  and  analysis  center.  Perhaps 
the  most  fundamental  difficulty  is  that  the 
data  source  is  always  suspect.  Field  failure 
reports  are  notorious  for  their  inadequacies. 
The  user/maintainer  has  many  pressures  to 
use  the  system/equipment  correctly  and  to 
keep  it  functioning;  the  priority  allotted  to 
filling  out  failure  reports  is  usually  low.  A 
difficulty  with  many  contractor  reports  is 
that  not  all  contractor  personnel  are  highly 
competent;  some  reports  are  written  by  in- 
competent people.  It  is  easier  to  blame  fail- 
ures on  parts  rather  than  on  people. 

The  human  factors  aspects  of  data  banks 
and  analysis  centers  have  not  been  resolved 
satisfactorily.  Formal  pronouncements  by 
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headquarters  staffs  and  company  officials  are 
not  the  same  thing  as  implementation  in  the 
field. 

Much  time  and  good  effort  have  gone 
into  these  data  sources.  If  they  are  used 
cautiously  and  intelligently,  they  can  be  very 
helpful;  if  they  are  used  blindly,  the  results 
often  will  be  very  unsatisfactory. 

B-6  PARTIAL  LISTING  OF  DATA  BANKS 

IN  OPERATION 

B-6.1  GIDEP,  GOVERNMENT-INDUSTRY 
DATA  EXCHANGE  PROGRAM 

This  is  a Government-sponsored  coopera- 
tive program  for  exchange  of  reliability  in- 
formation to  improve  quality  and  reliability, 
and  reduce  cost  of  systems  and  equipments. 

Technical  Coverage.  Engineering  and 
Failure  Experience  Data  on  parts,  compo- 
nents, and  materials.  Failure  Rate  Data  from 
field  operations,  and  Metrology  Data  includ- 
ing test  equipment  calibration  procedures. 
Coverage  of  data  is  electronic,  mechanical, 
hydraulic,  and  pneumatic. 

Mission.  Provides  program  for  exchange 
of  specialized  data,  and  operates  ALERT 
and  UDR  systems  to  provide  communication 
network  among  participants. 

Point  of  Contact. 

Head,  GIDEP  Branch 
Naval.  Fleet  Missile  Systems  Analysis 
and  Evaluation 
Group  Annex  (Code  862) 

Corona,  CA  91720 
Phone:  (714)  736-4677 
AV:  933-4677 

B-6.2  RELIABILITY  ANALYSIS  CENTER 

Technical  Coverage,  A designated  DOD 
Information  Analysis  Center  for  the  dissemi- 
nation of  reliability  and  experience  informa- 
tion on  electronic  components  with  special 
emphasis  on  microcircuits. 

Mission.  Serves  as  the  DOD  focal  point 
for  the  acquisition,  reduction,  analysis,  and 
organization  of  reliability  data  in  an  authori- 
tative, timely,  and  readily  usable  form  to  aid 
Government  and  contractor  engineers  in 


improving  the  reliability  of  electronic  sys- 
tems. 

Services.  Publishes  failure  rate,  environ- 
mental susceptibility  ■ and  malfunction  data 
compendia,  state-of-the-art  surveys,  hand- 
books, and  reference  bibliographies;  con- 
ducts literature  search  and  referral  services; 
provides  technical  consulting  services.  Spe- 
cialists in  reliability  are  available  to  work 
directly  with  the  user  to  define  his  problem, 
search  out  relevant  data  and  information, 
evaluate  and  analyze  results,  and  provide 
concrete  recommendations,  and  guidance. 
The  Reliability  Analysis  Center  data  files 
contain  data  and  technical  reports  on  reli- 
ability physics  investigations,  reliability 
improvement  programs,  part  design,  qualifi- 
cation and  lot  acceptance  tests,  equipment 
assembly  , demonstration  test  and  checkout 
results,  and  operational  history. 

Point  of  Contact. 

Technical  Director 
Reliability  Analysis  Center 
RADC/RBRAC 
Griffiss  AFR,  NY  13441 
Phone:  (316)330-4151 
AV:  587-4151 

B-6.3  EQUIPMENT  RECORD  AND  MAIN- 
TENANCE MANAGEMENT  SYS- 
TEMS 

A.  THE  ARMY  EQUIPMENT  RECORD 
SYSTEM  (TAERS) 

Technical  Coverage.  Historical  only, 
1965-1969,  Maintenance-management  data, 
part  repair  and  replacement  frequency,  main- 
tenance resources,  and  manpower  require- 
ments . 

MLssicn.  Management  information  neces- 
sary for  evaluating:  (1)  equipment  status 
and  materiel  readiness,  (2)  effectiveness  cf 
maintenance  operations,  (3)  adequacy  of 
resources,  and  (4)  support  requirements. 

Point  of  Contact, 

Appropriate  NMP:  example 

Commander 

USATACOM 

ATTN:  AMSTA-M(NMP) 

Warren.  MI  4&Q90 
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B.  THE  ARMY  MAINTENANCE  MANAGE- 
MENT SYSTEM  (TAMMS) 

Technical  Coverage,  Site  location,  usage, 
materiel  readiness,  and  Equipment  Improve- 
ment Recommendations  - 

Mission.  Provides  Fleet  Management 
data  and  improvement  recommendations  to 
the  national  level.  Provides  maintenance 
management  techniques  (forms  procedures 
to  using  unit  level). 

Point  of  Contact. 

Commander 

U S Army  Management  Center 

ATTN:  AMXMD-MT 
Lexington,  KY  40507 
Phone:  (606)293-3020 
AV:  745-3020 


B-6.4  US  ARMY  ELECTRONICS  COM- 
MAND (ECOM) 

Technical  Coverage.  Nuclear,  plasma, 
and  solid-state  physics,  geophysics,  meteorol- 
ogy, radio  communications,  automatic  data 
processing,  aerospace  electronics,  combat 
radar,  electronic  warfare,  detection  systems, 
frequency  controls,  and  electronic  parts  and 
components. 

Mission.  Coordinates  in  a single  organi- 
zation, the  research,  development,  procure- 
ment, and  production  of  Army  communica- 
tion and  electronic  materiel,  by  sponsoring 
and  conducting  of  research  and  by  publish- 
ing technical  reports  and  a current  news- 
letter. 

Point  of  Contact. 

Commander 

US  Army  Electronics  Command 

Ft.  Monmouth,  NJ  07703 

B-6.5  REDSTONE  SCIENTIFIC  INFORMA- 
TION CENTER 

Technical  Covemge.  Aerospace  logistics, 
operations,  ballistics,  fire  control,  fuzes,  war- 
heads, and  related  missile  and  rocket  ord- 
nance. 


Mission.  Serves  as  data  bank  for  tech- 
nical literature  on  missiles,  rockets,  rocket 
motors,  and  related  items  at  Redstone  Arse- 
nal; issues  data  compilations,  summaries, 
bibliographies,  and  reports;1  and  maintains 
and  disseminates  accumulated  data. 

Point  of  Contact- 
Commander 

US  Army  Missile  Command 
ATTN:  AMSMI-RB 
Redstone  Arsenal,  AL  35809 

B-6.6  BALLISTIC  RESEARCH  LABORA- 
TORIES (BRL) 

Technical  Coverage.  Ballistic  technology, 
vulnerability  assessment  and  vulnerability  re- 
duction, weapon  system  evaluation,  concept 
analysis,  operations  research,  reliability, 
quality  assurance,  ballistic  measurements, 
test-data  analysis,  probability,  and  mathe- 
matical analysis. 

Mission.  Conducts  research  in  ballistics, 
vulnerability,  and  physical  and  mathematical 
sciences;  evaluates  and  synthesizes  data  for 
contributions  to  weapon  technology;  pro- 
vides technical  assistance  and  consulting  ser- 
vices; and  issues  technical  reports. 

Point  of  Contact. 

Director 

US  Army  Ballistic  Research  Labora- 
tories 

ATTN:  STINFO  Officer 

Aberdeen  Proving  Ground, 

MD  21005 

6-6.7  NONDESTRUCTIVE  TESTING  IN- 
FORMATION ANALYSIS  CENTER 
(NTIAC) 

Technical  Coverage.  Nondestructive-test 
data  on  materials,  acquired  through  radio- 
graphy, ultrasonics,  electromagnetic,  and 
other  nondestructive  test  methods. 

Mission.  Collects,  maintains,  and  dis- 
seminates, via  rapid-retrieval  system,  data  in 
the  field  of  nondestructive  testing;  provides 
consulting  and  advisory  services;  and  pub- 
lishes bibliographic  information. 
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Point  of  Contact. 

Chief 

Materials  Testing  Laboratory 

U S Army  Materials  and  Mechanics 
Research  Center 

ATTN  : A MXMR-TXT -Nondestruc- 
tive Testing  Information  Anal- 
ysis Center 

Arsenal  Street 

Watertown,  MA  02172 

B-6.8  US  ARMY  BALLISTIC  RESEARCH 
LABORATORIES  (BRL)  (Radiation 
Engineering  Branch) 

Technical  Coverage.  Nuclear  radiation, 
residual  radiation,  shielding,  radiological  de- 
fense, and  radiation  effects. 

Mission.  Conducts  research  and  field  ex- 
periments, provides  technical  information 
and  assistance,  provides  environmental  moni- 
toring and  radiological  safety  support. 

Point  of  Contact. 

Chief 

Radiation  Branch.  Vulnerability  Lab- 
oratory 

US  Army  Ballistic  Research  Lab- 
oratories 

Aberdeen  Proving  Ground,  MD 
21005 

B-6.9  US  ARMY  TANK-AUTOMOTIVE 

DEVELOPMENT  CENTER 

Technical  Coverage.  Automotive  systems 
for  combat  vehicles,  tactical  wheeled  ve- 
hicles, commercial  wheeled  vehicles,  engineer 
and  construction  equipment  (as  of  1 July 
1974),  materials  handling  equipment  (as  of  1 
July  1975),  and  trailers  and  semitrailers. 

Mission.  Design,  development,  testing, 
procurement,  logistic  support  (Supply  and 
Maintenance),  and  reconditioning  of  vehicle 
systems  listed  above. 

Point  of  Contact, 

1.  For  operational  field  data  and 
maintainability  data: 


Commander 

US  Army  Tank -Auto  motive 
Development  Center 
ATTN:  AMSTA-QR 
Warren,  MI  48090 

2.  For  -Test  data  and  reliability 
data: 

Commander 

US  Army  Tank -Auto  motive 
Development  Center 
ATTN:  AMSTA-MS 
Warren,  MI  48090 

B-6.10  THERMOPHYSICAL  AND  ELEC- 
TRONIC PROPERTIES  INFORMA- 
TION ANALYSIS  CENTER 
MACHINABILITY  OATA  CENTER 

CONCRETE  TECHNOLOGY  IN- 
FORMATION ANALYSIS  CENTER 

Point  of  Contact. 

Chief,  Nondestructive  Testing  In- 
dustrial Applications  Branch 
US  Army  Materials  and  Mechanics 
Research  Center 
Arsenal  Street 
Watertown,  MA  02172 
Phone:  (617)926-1900 

AV:  648-8250 

B-6.11  PLASTICS  TECHNICAL  EVALUA- 
TION CENTER  (PLASTEC) 

Technical  Coverage.  Plastic  materials, 
adhesives  and  composites,  with  emphasis  on 
plastics  in  structural  weapon  systems,  elec- 
trical and  electronic  applications,  packaging, 
mechanical  devices,  and  specifications- 

Mission.  Collects,  exchanges,  develops, 
and  evaluates  technical  data  for  the  DOD, 
related  activities,  contractors,  and  others  on 
a fee  basis  as  time  permits.  Serves  as  plastics 
information  data  source  by  consultation  and 
publications. 
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Point  of  Contact. 

Chief 

Plastics  Technical  Evaluation  Center 
Picatinny  Arsenal 
ATTN:  SARPA-FR-MD 
Dover,  NJ  07801 

B-6.12  US  ARMY  TEST  AND  EVALUA- 
TION COMMAND  (TECOM) 

Technical  Couerage.  Development  test 
data  and  test  techniques  on  all  materiel  used 
by  the  Army  in  the  field. 

Mission.  Conducts  development  test  II 
(DT  II)  (except  those  DT  II  engineering 
phases  pertaining  to  aircraft  performance, 
stability,  and  control  climatic  hangar  test) 
and  development  test  III  (DT  III)  of  ail 
AMC  developed  Army  materiel  intended  for 
general  use  by  the  Army  in  the  field.  Plans, 
conducts,  and  reports  on  the  developmental 
test  objectives  of  combined  development  and 
operational  tests,  in  conjunction  with  C£ecar 
tional  Test  and  Evaluation  Agency  (OTEA), 
Department  of  the  Army,  and/or  the  AMC 
activity  responsible  for  operational  testing. 
Reports  cf  all  testing  are  available  for  De- 
fense Documentation  Center. 

Point  of  Contact. 

Reliability,  Availability  and  Maintain- 
ability Directorate 

HQ,  US  Army  Test  and  Evaluation 
Command 

Aberdeen  Proving  Ground,  MD 

21005 

B-6.13  US  ARMY  COLD  REGIONS  RE- 
'SEARCH  AND  ENGINEERING 
LABORATORY  (CRREL) 

Technical  Coventge,  Physical,  mechani- 
cal, and  structural  properties  and  behavior  of 
snow,  ice,  and  frozen  ground;  geology,  geo- 
physics, geography,  and  meteorology;  engi- 
neering and  technology;  environmental  con- 
ditions and  physics;  military  applications; 
and  hydrology,  waste  water  management,  ice 
engineering. 

Mission-  Conducts  research  and  engi- 
neering investigations  for  supporting  and  im- 
proving US  military  capabilities  in  cold 
regions. 


Point  of  Contact. 

CO/Director 

U S Army  Cold  Regions  Research  and 
Engineering  Laboratory 
ATTN:  CRREL-TI  ... 

P.O.  Box  282 
Hanover,  NH  03775 

B-6.14  US  ARMY  HUMAN  ENGINEERING 
LABORATORIES  (H&«_) 

Technical  Coverage.  Scientific  and  tech- 
nical information  regarding  human  factors 
affecting  military  operations  and  materiel. 

Mission.  Assists  the  AMC  in  resolving 
human-factors  engineering  problems  by  per- 
forming research,  giving  courses,  etc.,  to 
facilitate  smooth  man-machine  operability. 

Point  of  Contact. 

Commander 

US  Army  Human  Engineering  Lab- 
oratories 

Aberdeen  Proving  Ground,  MD 
21005 

B-6.15  PETROLEUM  AND  MATERIALS 
DEPARTMENT,  US  ARMY  MOBIL- 
ITY EQUIPMENT  RESEARCH  AND 
DEVELOPMENT  COMMAND 


Technical  Coverage.  Chemical  cleaning 
and  corrosion;  paint,  varnish,  and  lacquer; 
automotive  chemicals;  and  fuels  and  lubri- 
cants. 

Mission.  Provides  research,  development, 
evaluation,  and  specification  information  in 
support  cf  AMC;  provides  consultant  services 
to  other  military  agencies. 

Point  of  Contact. 

Chief,  Petroleum  and  Materials  De- 
partment 
USAMERDC 
Ft.  Belvoir,  VA  22060 

B-6.16  US  ARMY  NATICK  DEVELOP- 
MENTCOMMAND 

Technical  Coverage.  Physics,  biology, 
and  engineering  as  applied  to'  textile,  cloth- 
ing. body  armor,  footwear,  organic  materials, 
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insecticides  and  fungicides,  subsistence,  con- 
tainers, food  service  equipment,  field  sup- 
port equipment  (as  assigned),  tentage  and 
equipage,  and  air  delivery  equipment. 

Mission.  Conducts  research,  develop- 
ment, engineering,  and  standardization  pro- 
grams. 

Point  of  Contact. 

Commander 

US  Army  Natick  Development 
Command 

ATTN:  STSNLT-EQ 

Natick,  MA  01760 


B-6.17  US  ARMY  ARMAMENT  COM- 
MAND (ARMCOM) 

Technical  C overage . Engineering  re- 
search data  on  munitions  and  weapon  sys- 
tems including  cannon,  mortars,  howitzers, 
small  arms,  and  antitank  and  antiaircraft 
weapons.  Special  topics  include  recoil  mech- 
anisms, fire  control  equipment,  feed  mechan- 
isms, optical  equipment,  nondestructive-test- 
ing equipment,  all  munitions,  all  projectiles, 
rocket  and  missile  warheads,  mechanical  fuze 
timers,  mines  and  mine  fuzing,  pyrotechnics, 
propellant  actuated  devices,  toxic  chemical 
munitions,  flame  weapon  systems,  and  in- 
cendiary devices.  Services  include  numerical 
analysis,  mathematical  statistics,  probability  , 
and  operations  research  methodology. 

Mission.  Supports  and  conducts  re- 
search, development,  and  engineering  to 
satisfy  the  need  for  new  weapon  systems 
and  to  improve  existing  systems:  issues  tech- 
nical reports. 

Point  of  Contact. 

1.  General  inquiries: 

HQ,  US  Army  Armament  Com- 
mand 

Research  Development  and  En- 
gineering Directorate 
Engineering  Support  Division 
ATTN:  AMSAR-RDS 
Rock  Island  Arsenal 
Rock  Island,  IL  61201 


2.  Reliability /Availability  /Main- 
tainability data: 

HQ,  US  Army  Armament 
Command 

Product  Assurance  Directorate 
ATTN:  AMSAR-QA 
Rock  Island  Arsenal 
Rock  Island,  IL  61201 


B-6.18  DEFENSE  LOGISTICS  STUDIES 
INFORMATION  EXCHANGE,  US 
ARMY  LOGISTICS  MANAGEMENT 
CENTER 

Technical  Coverage.  Scientific  and  tech- 
nical information  regarding  human  factors 
affecting  military  operations  and  materiel. 

Mission.  Collects  and  stores  documenta- 
tion pertaining  to  logistic  management.  Dis- 
seminates information  by  the  publication  of 
an  annual  bibliography  with  quarterly  sup- 
plements of  studies  relating  to  logistics,  and 
the  publication  of  an  annual  catalog  of  logis- 
tic models.  Custom  bibliographies  may  be 
developed  upon  request. 

Point  rrf  Contact. 

US  A rm y Logistics  Management 
Center 

Defense  Logistics  Studies  Informa- 
tion Exchange 
Ft.  Lee,  VA  23801 

R6.19  US  ARMY  HARRY  DIAMOND 
LABORATORIES  <HDL) 

Technical  Coverage.  System  research  in 
fuzing,  ranging,  guidance,  and  detection;  in- 
strumentation, measurement,  and  simulation; 
electronic  and  electrical  components;  nuclear 
weapon  effects;  and  basic  research  in  electro- 
magnetic properties  of  plasma,  nonlinear  cir- 
cuits, lasers,  and  fluidics, 

Mission.  Provides  R&D  engineering  and 
consulting  services  in  the  physical  and  engi- 
neering sciences  to  meet  Army  requirements, 
and  support  other  DOD  elements. 
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Point  of  Contact. 

Chief,  Programs  and  Plans  Office 
US  Army  Harry  Diamond  Labor- 
atories 

Adelphi,  MD  20783 


B-6.20  PERFORMANCE  DATA  AND  RE- 
TRIEVAL SYSTEM  FOR  NAVAL 
SURFACE-LAUNCHED  MISSILES 

Technical  Couerage.  Reliability,  main- 
tainability, and  availability  data  for  fire  con- 
trol radars  and  computers,  search  radars, 
guided  missile  launching  sysbans,  weapon 
direction  systems,  test  equipment,  and  mis- 
siles. 

Mission.  Collects,  processes,  and  anal- 
yzes reliability,  maintainability,  and  perform- 
ance data  using  information  storage  and  re- 
trieval systems. 

Point  of  Contact. 

Head,  Surface-Launched  Missile  De- 
partment 

US  Naval  FMSAEG 
Corona,  CA  91720 

B-6.21  PERFORMANCE  DATA  AND  RE- 
TRIEVAL SYSTEM  FOR  NAVAL 
AIR-LAUNCHED  MISSILES 

Technical  Coverage,  Reliability,  main- 
tainability, and  availability  data  for  fire  con- 
trol radars  and  computers,  search  radars, 
guided  missile  launching  systems,  weapon 
direction  systems,  test  equipment,  and 
missiles. 

Mission.  Collects,  processes,  and  anal- 
yzes reliability,  maintainability,  and  perform- 
ance data  using  information  storage  and 
retrieval  systems. 

Point  of  Contact. 

Head,  Air-Launched  Missile  De- 
partment 

US  Naval  FMSAEG 

Corona,  CA  91720 


B-6.22  ADP  SYSTEM  FOR  SUMMARIZA- 
TION OF  QEEL  SURVEILLANCE 
AND  FLEET-FIRING  OF  VT  FUZES 

Technical  Coverage.  Cotnponent  reli- 
ability of  VT  fuze  performance. 

Mission.  Computer  programs  identify 
VT  fuzes  of  specific  manufacturers  and  pro- 
vide printouts  of  test  results?. 

Point  of  Contact. 

Code  32300 
Q.E.E.  Laboratory 
US  Naval  Weapons  Station 
Concord,  CA  94520 

B-6.23  ADP  SYSTEM  FOR  SUMMARIZA- 
TION OF  QEEL  SURVEILLANCE 
OF  NAVY  GUN  AMMUNITION 

Technical  Coverage.  Performance  reli- 
ability of  Naval  gun  ammunition. 

Mission.  Data  storage  and  retrieval  sys- 
tem provides  results  of  QEE  and  special  tests 
performed  on  Navy  gun  ammunition  and 
components,  along  with  listings  and  sum- 
maries of  specific  ammunition  types  and 
components. 

Point  of  Contact. 

Code  32300 
Q.E.E.  Laboratory 
US  Naval  Weapons  Station 
Concord,  CA  94520 

B-6.24  ADP  SYSTEM  FOR  FLEET-FIRED 
NAVY  GUN  AMMUNITION 

Technical  Couerage.  Reliability  of  stock- 
pile ammunition. 

Mission.  Maintains  an  information  .sys- 
tem with  an  output  of  listings  cf  ammuni- 
tion lot  performance  from  test  data  and  sta- 
tistical summaries. 

Point  of  Contact. 

Code  32300 
Q.E.E.  Laboratory 
U S Naval  Weapons  Station 
Concord,  CA  94520 
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B-6.25  ADP  SYSTEM  FOR  AIR  LAUNCH- 
ED MISSILE  GUIDANCE  AND 
CONTROL  SECTIONS 

Technical  Couerage.  Missile  component 
reliability  for  SIDEWINDER  and  SPARROW 

III. 

Mission.  Provides  an  automated  data  and 
information  storage  and  retrieval  system  for 
the  results  cf  G&C  component  testing  of  air- 
launched  guided  missiles.  Assists  in  engineer- 
ing and  statistical  analyses  of  test  results. 

Point  of  Contact. 

Code  32300 
Q.E.E.  Laboratory 
US  Naval  Weapons  Station 
Concord,  CA  94520 

B-6.26  ADP  SYSTEM  FOR  NAVY  CALI- 
BRATION PROGRAM  FOR  MEC, 
POMONA 

Technical  Couerage.  Reliability  of  test 
and  measuring  equipment. 

Mission.  This  data  processing  system 
outputs  data  to  optimize  calibration  inter- 
vals, provides  reliability  information,  and 
thereby  serves  as  a monitoring  system  to- 
ward improving  equipment  reliability. 

Point  of  Contact, 

Naval  Weapons  Representative 
Metrology  Engineering  Center 
Pomona,  CA  91766 

B-6.27 CHEMICAL  PROPULSION  INFOR- 
MATION AGENCY  (CPIA) 

Technical  Coverage.  Research,  develop- 
ment, test,  and  evaluation  information  on 
chemical  rockets,  air  breathing  propulsion, 
and  gun  propulsion, 

Mission.  Acquires,  correlates,  analyzes, 
and  disseminates  RDT&E  data  via  meetings, 
briefings,  consultations,  and  publications  to 
management  and  technical  personnel. 

Point  of  Contact. 

AIR-330 

Naval  Air  Systems  Command 
Washington,  DC  20360 


B-6.28  NAVSECNORDIV  DATA  BANK 

Technical  Coverage.  Reliability,  ira±nt& 
nance,  and  equipment  performance  data. 

Mission.  Receives  data-element  inputs 
from  Naval  activities  not  included  in  MDCS, 
keypunches  the  data,  and  forwards  to  the 
Naval  Ship  Research  and  Development  Cen- 
ter for  processing*  and  storage  in  the  data 
bank.  Processed  data  then  are  analyzed  by 
NAVSECNORDIV  personnel  in  reliability 
and  maintainability  improvement  programs. 

Point  of  Contact. 

Head,  Statistical  Engineering  Branch 
NAVSECNORDIV,  Code  6643 
Norfolk,  VA  23511 

B-6.29  OPERATIONAL  TEST  AND  EVAL- 
UATION FORCE  (OPTEVFOR) 

Technical  Couerage.  Operational  effec- 
tiveness and  suitability  evaluations  of  prepro- 
duction equipments  and/or  weapon  systems. 

Mission.  Tfests  operationally  and  evalu- 
ates specific  weapon  systems,  ships,  aircraft, 
and  equipments,  including  procedures  and 
tactics,  when  directed  by  the  Chief  of  Naval 
Operations. 

Point  of  Contact. 

Deputy  Chief  of  Staff  for  Opera- 
tions, Plans  and  Programs 
Operational  Test  and  Evaluation 
Force 

US  Naval  Operating  Ease 
Norfolk,  VA  23511 

B-6.30  UNDERWATER  WEAPON  SYS- 
TEMS RELIABILITY  DATA 
(UWSRO) 

Technical  Coverage,  Reliability  evalua- 
tions of  underwater  weapon  systems. 

Mission.  Provides  the  technical  data 
necessary  for  weapon  system  analyses,  and 
reliability  and  effectiveness  determinations 
by  engineering  and  technical  personnel. 

Point  of  Contact. 

Code  RA32 

U S Naval  Underwater  Systems 
Center 

Newport,  RI  02840 
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B-6.31  AUTOMATED  RELIABILITY  AND 
MAINTAINABILITY  MEASURE- 
MENT (ARMMS) 

Technical  C overage.  Reliability  and 
maintainability  characteristics. 

Mission.  Designed  to  permit  accurate 
measurement  of  aircraft  characteristics;  this 
data  collection  and  anaiysis  system  will  in- 
put Navy  aircraft  Maintenance  Data  Collec- 
tion System  data  elements.  Output  will  be 
used  for  weapon  system  evaluations. 

Point  of  Contact. 

Commander,  Naval  Air  Test  Center 
Service  Test  Division  (ST373) 

US  Naval  Air  Station 
Patuxent  River,  MD  20760 

B-6.32  OFFICE  OF  INFORMATION  SER- 
VICES 

Technical  Coverage.  Nuclear  science  and 
related  sciences. 

Missim.  Plans,  directs,  and  operates  a 
comprehensive  nuclear  technology  infonna- 
tion  program  for  exchanging,  processing,  con- 
trolling, publishing,  and  exhibiting  nuclear 
science  and  technology  information  to  meet 
the  needs  of  the  Energy  Research  and  Devel- 
opment Administration  (ERDA),  other  Gov- 
ernment agencies,  industry,  and  the  world 
technical  community.  Also  establishes  ERDA 
standards , policies,  and  procedures  for  infor- 
mation reporting  and  dissemination. 

Point  of  Contact. 

. Office  of  Infomation  Services 
Energy  Research  and  Development 
Administration 
Washington, DC  20545 

B-6.33  AFM  66-1  AIR  FORCE  MAINTE- 
NANCE  DATA  COLLECTION 
SYSTEM 

Technical  Coverage.  Maintenance  data; 
maintenance  analysis  and  control;  failed-part 
summaries;  and  maintenance  manpower  man- 
agement in  the  areas  c£  aircraft,  missiles, 
electronic  communications,  ground  equip- 
ment, and  munitions. 


Mission.  Supports  management  of  the 
maintenance  resources  at  all  levels  of  com- 
mand, by  providing  information  on  required 
and  current  maintenance. 

Point  of  Contact. 

Director,  Data  Management  Division 
Reports  Management  Branch, 

MCCDQ 

US  Air  Force  Logistics  Command 
Wright-Patterson  Air  Force  Base, 

OH  45433 

B-6.34  AF/SAJ,  OFFICE  OF  SPECIAL 
STUDIES 

Technical  Coverage.  Reliability  and  ac- 
curacy; statistical  and  mathematical  tech- 
niques. Space  systems:  testing,  test  analysis, 
and  design.  Weapon  systems:  evaluation, 
costs,  logistics,  and  maintenance. 

Mission.  Issues  scientific  studies  and  cur- 
rent state-of-the-art  information  and  provides 
consultant  services  for  use  in  making  techno- 
logical, tactical,  and  strategic  decisions. 

Point  of  Contact. 

Assistant  for  Special  Studies 
Operations  Analysis  Office 
Headquarters,  US  Air  Force 
The  Pentagon  . 

Washington,  DC  20330 

B-6.35  METALS  AND  CERAMICS  INFOR- 
MATION CENTER  <MCIC) 

Sponsor.  Department  of  Defense.  Office 
of  the  Director  of  Defense,  Research  and 
Engineering,  under  a Defense  Supply  Agency 
contract  monitored  by  the  Army  Materials 
and  Mechanics  Research  Center.  Watertown, 
Massachusetts. 

Technical  Coverage : 

1.  Metals:  Titanium,  aluminum,  and 
magnesium,  beryllium,  refractory  metals, 
high-strength  steels,  superalloys  (primarily 
nickel-  and  cobalt-base  alloys),  rhenium,  and 
vanadium . 

2.  Ceramics:  Borides,  carbides,  car- 
bon/graphite, nitrides,  oxides,  sulfides,  sili- 
cides,  intermetallics,  and  selected  glasses  and 
glass-ceramics. 
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Composites  of  these  materials;  coatings;  envi- 
ronmental effects;  mechanical  properties; 
materials  applications;  test  methods;  sources, 
suppliers,  and  specifications;  other  materials 
mutually  agreed  upon  by  the  contractor  and 
the  Government. 

Mission.  Provides  technical  assistance 
and  information  on  materials  within  the 
Center%  scope,  with  emphasis  on  application 
to  the  defense  community. 

Publications.  Monthly  newsletter  (dis- 
seminated free  by  the  Center  to  anyone  en- 
gaged in  materials  research,  development,  or 
utilization);  a series  of  weekly  reviews  on 
developments  in  metals  technology;  a 
monthly  review  of  ceramic  technology;  a 
variety  of  engineering  reports  and  handbooks 
related  to  the  use  of  advanced  metals  and 
ceramics.  The  reviews,  reports,  and  hand- 
books are  available  at  cost  from  the  National 
Technical  Information  Service. 

Services.  Answers  to  technical  inquiries, 
bibliographies,  literature  searches,  and  special 
studies  are  provided  on  a fee  basis,  depending 
on  the  time  involved. 

Point  of  Contact. 

Metals  and  Ceramics  Information 
Center 

Battelle  Memorial  Institute 

505  King  Avenue 

Columbus.  OH  43201 

Phone:  (614)299-3151 

B-7  DISCONTINUED  OR  TRANSFERRED 
ACTIVITIES 

1.  NASA,  PRINCE/APIC  Information  Cen- 
ter 

No  longer  exists  as  an  active  infor- 
mation center. 

2.  RATR,  Reliability  Abstracts  and  Tech- 
nical Reviews 

Discontinued.  Old  copies  are  avail- 
able from  NTIS,  Springfield.  VA  22151. 


3.  IDEP.  Interagency  Data  Exchange  Pro- 
gram 

Integrated  into  GIDEP  (See  par. 
B-6.1.) 

4.  FARADA,  Tri-Service  and  NASA  Failure 
Rate  Data  Program 

Integrated  into  GIDEP  (See  par- 

B-6.1.)  " 

5.  AFREIC,  Air  Force  Radiation  Effects 
Information  Center 

6.  AFEPIC.  Air  Force  Electronic  Properties 
Information  Center 

7.  AFDMIC,  Air  Force  Defense  Metals  In- 
formation Center 

8.  AFMPDC,  Air  Force  Mechanical  Prop- 
erties Data  Center  (See  par.  B-6.10, 
Monitored  by  Nondestructive  Testing 
Industrial  Applications  Branch.  US  Army 
Materials  and  Mechanics  Research  Center, 
Watertown.  MA  02172.) 

9.  TAERS,  The  Army  Equipment  Record 
System 

Replaced  by  TAMMS.  (See  par. 
B-4.2.) 

REFERENCES 

1.  GIDEP  Policies  and  Procedures  Manual, 
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ium, 266-273  (1974). 

4.  Reliability  and  Maintainability  Data 
Sources,  AFLC/AFSC  Pamphlet  400-? 
(to  be  published  in  1974).  Check  with 
HQ,  A ir  Force  Logistics  Command. 
Wright-Patterson  AFB.  Ohio  45433  or 
HQ.  Air  Force  Systems  Command. 
Andrews  AFB.  Washington,  DC  20331. 

5.  TM  38-750,  The  Army  Management 
Maintenance  System  (TAMMS),  Novem- 
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AD-875  669 

Army  Test  and  Evaluation  Command, 
Aberdeen  Proving  Ground,  Md. 

HUMAN  FACTORS  ENGINEERING. 

Final  rept.  on  materiel  test  procedure. 

17  Jul  70,  26p  MTP-8-3-509 
Distribution  Limitation  now  Removed. 

Descriptors:  (*Human  engineering,  Test 

methods),  Chemical  warfare,  Biological  war- 
fare, Human  engineering.  Training,  Operation, 
Maintenance,  Military'  personnel. 

Identifiers:  Common  service  test  procedures. 

The  Anny  Service  Test  Procedure  describes 
test  methods  and  techniques  for  evaluating 
the  Human  Factors  Engineering  aspects  of 
chemical-biological  equipment  and  its  com- 
patibility with  the  skills,  aptitudes,  and  limita- 
tions of  military'  personnel  who  will  use  the 
items.  (Author) 

N71-12334 

National  Aeronautics  and  Space  Administra- 
tion. Langley  Research  Center,  Langley  Sta- 
tion, Va. 

FIXED-BASE  VISUAL-SIMULATION 
STUDY  OF  MANUALLY  CONTROLLED 
OPERATION  OF  A LUNAR  FLYING 
VEHICLE. 

G.  K.  Miller,  Jr.,  and  G.  W.  Sparrow.  Dec  70, 

42P 

NASA-TN-D-5983,  L-73  20 
Contract  127-51-34-03 

Descriptors:  *Control  equipment,  *Control 
simulation,  * Lunar  flying  vehicles,  "Manual 
control.  Man-machine  systems,  Operations 
research,  Pilot  performance,  Visual  flight. 

For  abstract,  see  STAR  09  03. 

PB-197  127 

BISRA-The  Corporate  Labs,  of  the  British 
Steel  Corp.,  London  (England).  Operational 
Research  Dept. 

BISRA  OPEN  REPORT.  SELECTION  OF 
ABSTRACTS  FROM  ERGONOMICS  AB- 
STRACTS, VOLUME  2 NO.  2. 

1970,  14p  BISRA-OR/HF/35/70 
See  also  Volume  l,No.  3,  PB-194  443. 


Descriptors:  (*Man-machine  systems.  Ab- 
stracts), (*Human  factors  engineering,  *Ab- 
stracts),  Psychology,  Physiology,  Anthro- 
pometry, Environmental  engineering.  Work- 
place layout,  Clothing,  Design,  Great  Britain. 
Identifiers:  *Ergonomics. 

Contents:  Man  as  a systems  component  — 
psychology,  physiology,  anthropometry,  and 
biomechanics:  The  design  of  the  man-ma- 
chine interfacedata  presentation,  input  facil- 
ities, workplace  and  equipment  design,  envi- 
ronmental design,  noise,  vibration,  atmo- 
sphere, thermal  conditions,  specialized  and 
protective  clothing;  Systems  design  and  organ-, 
ization— work  organization,  training,  motiva- 
tion, and  attitudes;  Methods,  techniques  and 
equipment  in  ergonomics— investigation  a£ 
man  as  a systems  component-physiology, 
anthropometry,  and  biomechanics;  Methods, 
techniques,  and  equipment  in  ergonomics- 
investigation  of  the  design  of  the  man-ma- 
chine interface— environmental  design;  Meth- 
ods, techniques,  and  equipment  in  ergo- 
nomics-investigation of  systems  design  and 
organization— work  design  and  organization, 
implementation,  and  evaluation  of  industrial 
training  procedures,  and  implementation  of 
selection  procedures. 

AD-718  731 

Army  Test  and  Evaluation  Command, 
Aberdeen  Proving  Ground.  Md. 

HUMAN  FACTORS  ENGINEERING 
Materiel  test  procedure. 

20  Dec  67,  5p  Rept  No.  MTP-4-3-515 

Descriptors:  (*Test  methods,  ’"Human  engi- 
neering), (*Ammunition,  Human  engineer- 
ing), Compatibility,  Handling.  Safety,  Assem- 
bling. 

Identifiers:  *Connnon  service  test  procedures. 

The  objective  of  the  Materiel  Test  Procedure 
is  to  evaluate,  during  testing  involving  ammu- 
nition, whether  or  not  human  factors  consid- 
erations were  engineered  into  the  design  of 
ammunition  to  assure  maximum  compatibil- 
ity in  the  ammunition-weapon-crew  relation- 
ship. (Author) 
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AD-732  613 

Illinois  Univ.  Savoy  Aviation  Research  Lab. 
EFFECTS  OF  THE  MAN  ON  THE  TASK  IN 
COMPLEX  MAN-MACHINE  SYSTEMS, 
Charles  L.  Hulin,  and  Kenneth  M.  Alvares. 
Feb  71,  14p  AFHRL-TR-71-7 
Contract  F41609-7  0-C-002 7 
See  also  related  reports  AD- 731  191  and 
AD-732  612. 

Descriptors:  (*Man-machine  systems,  *Job 
analysis),  Training,  Factor  analysis.  Design, 
Effectiveness. 

Identifiers:  Pilot  training. 

This  research  tested  the  hypothesis  that  in  a 
complex  man-machine  system,  one  of  the 
many  influences  on  the  system  is  the  man's 
constant  reorganization  of  the  tasks  which 
constitute  the  system.  The  performances  of 
67  male  college  students  receiving  basic  flight 
training  were  assessed  by  means  of  check  rides 
at  three  different  points  of  training.  Factor 
analyses  of  each  set  of  check  ride  data  indica- 
ted systematic  changes  occurred  in  the  struc- 
ture of  the  task.  A three-factor  solution 
appeared  in  the  10-hour  data,  two  factors 
were  being  assessed  by  the  25-hour  point,  and 
only  one  general  factor  appeared  in  the 
35-hour  data.  This  finding  indicates  that 
future  man-machine  systems  research  should 
no  longer  be  designed  under  a fixed-task  as- 
sumption. It  is  speculated  that  this 
assumption  may  be  one  cause  of  the  generally 
found  weak  prediction  of  system  performance 
effectiveness  over  meaningful  intervals  cf  time 
(Author) 

AD-721  657 

Dunlap  and  Associates  Inc.,  Darien,  Conn. 
HUMFACTS  SYSTEM  THESAURUS. 

Jan  71,  419p* 

Contract  DAHC04-69-C-0076 

Descriptors:  (*  Dictionaries,  *Human  engi- 
neering), Information  retrieval.  Vocabulary, 
Subject  indexing. 

Identifiers:  “"Thesauri,  HUMFACTS  System 
Thesaurus. 

The  thesaurus  contains  words  and  phrases, 
concept-terms,  which  reflect  the  concepts  to 
he  indexed  in  support  of  the  Human  Factors, 
Engineering  Information  Retrieval  (HUM- 


FACTS)  System.  The  concept-terms  indicate 
structures  which  display  the  relationship 
between  terms  to  at  least  two  levels  of  detail 
in  meaning.  This  developmental  thesaurus  is 
intended  to  serve  as  the  authority  list  for  sub- 
sequent indexing  and  retrieval  processing  but 
is  not  considered  final.  (Author) 

AD-730  910 

Bunker-Ramo  Corp.,  Westlake  Village,  Calif. 
DEVELOPMENT  OF  A HUMAN  PERFOR- 
MANCE RELIABILITY  DATA  SYSTEM. 
Technical  rept., 

David  Meister,  and  Robert  G.  Mils.  Jun  71, 
19p  AMRL-TR-7 1-74 

Contract  F33615-70-C-1518 

Presented  at  the  Reliability  and  Ffeintain- 

ability  Conference  (10th),  held  on  28-30  Jun 

71. 

Descriptors:  (“"Performance  (Human),  “"Reli- 
ability), (“"Behavior,  Classification).  Man-ma- 
chine systems.  Data,  Human  engineering. 
Feasibility  studies. 

Identifiers:  Taxonomy. 

A study  was  performed  to  determine  the 
requirements  for  and  the  elements  of  a human 
performance  reliability  (HPR)  data  system. 
The  heart  of  the  HPR  system  is  a taxonomic 
structure  for  classifying  behavioral  studies. 
140  studies  from  a variety  of  sources  were 
coded  using  this  taxonomy.  To  test  the  effi- 
ciency of  this  data  bank  to  provide  answers  to 
sysban  development  questions,  a number  of 
tests  were  performed  to  determine  the  rele- 
vance of  the  data  retrieved  to  the  questions 
asked.  The  results  of  these  tests  indicated  that 
it  is  possible  to  expand  the  HPR  data  base 
provided  one  is  not  restricted  to  a probabil- 
istic metric.  (Author) 

AD-730  923 

Michigan  Univ.,  Ann  Arbor  Human  Perform- 
ance Center 

SHORT-TERM  MEMORY  FOR  QUANTI- 
TATIVE INFORMATION  FROM  THREE 
KINDS  OF  VISUAL  DISPLAYS. 

Technical  rept ., 

Vicki  Vivienne  Rhona  Cohen.  Jun  71.  89p 
Rept  Nos.  08773-82-T,  TR-28  AFOSR-TR- 
71-2580 

Contract  AF  49(638)-1736,  ARPA  Order-461 
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Descriptors:  (*Memory,  Display  systems). 
Human  engineering,  Recall,  Motion. 

Identifiers:  Shortterm  memory. 

A series  of  four  experiments  was  conducted 
to  investigate  whether  the  nature  of  a visual 
display  affects  short-term  memory'  for  numer- 
ic information  extracted  from  it.  Three  differ- 
ent kinds  of  displays  were  chosen  for  study: 
a digital  counter,  a moving  scale,  and  a mov- 
ing pointer  display.  Experiment  I examined 
reading  performance  using  the  moving  scale 
and  moving  pointer  displays.  The  results  of 
this  experiment,  in  which  the  moving  scale 
yielded  superior  performance,  provided  base- 
line data  with  which  to  judge  future  perfor- 
mance and  also  enabled  a judicious  choice  of 
exposure  durations  for  the  subsequent  experi- 
ments. In  Experiment  II  the  Brown-Peterson 
paradigm  with  vaned  retention  intervals  was 
used  to  examine  the  short-term  memory  for 
quantitative  information  from  the  three  kinds 
of  displays.  In  general,  the  digital  counter 
yielded  the  best  recall  performance,  followed 
by  the  moving  pointer  and  moving  scale  dis- 
plays in  that  order.  Experiments  III  and  IV 
were  between-  and  within-in  subjects  designs 
which  tested  this  hypothesis  using  the 
Brown-Peterson  paradigm  with  two  different 
interpolated  tasks,  one  of  which  interfered 
with  the  retention  of  verbal  information  and 
the  other  which  interfered  with  the  retention 
of  both  verbal  and  nonverbal  information. 
The  differences  in  error  patterns  obtained  in 
Experiment  II  between  the  moving  pointer 
and  moving  scale  displays  were  again  obtained 
when  the  interpolated  activity  was  considered 
to  be  causing  only  verbal  interference.  How- 
ever, this  difference  was  abolished  or  consid- 
erably lessened  when  the  interpolated  activity 
was  one  that  interfered  with  both  verbal  and 
nonverbal  memory.  (Author) 

AD-729  855 

Army  Test  and  Evaluation  Command, 
Aberdeen  Proving  Ground,  Md. 

HUMAN  FACTORS  ENGINEERING 
Final  rept.  on  materiel  test  procedure. 

1 Sep  71,  22p  Rept.  No.  MTP-10-2-505 
Supersedes  Rept.  No.  MTP-10-2-505  dated  19 
Jul  67,  AD-725  555. 


Descriptors:  (*Army  equipment,  Human 
engineering),  (*Human  engineering,  Test 
methods),  Measurement,  Standards,  Accu- 
racy, Errors,  Performance  (Engineering),  Per- 
formance (Human),  Safety. 

Identifiers:  * Common  engineering  test  pro- 
cedures. 

The  document  outlines  procedures  for  evalua- 
ting the  human  factors  associated  with  use  of 
general  equipment.  (Author) 

AD-729  964 

Texas  Tech  Univ.,  Lubbock  Center  of  Bio- 
technology and  Human  Performance. 
PERFORMANCE,  RECOVERY  AND  MAN- 
MACHINE  EFFECTIVENESS. 

Semi-annual  progress  Rept.  IMar — 31  Aug  71, 
Richard  A.  Dudek.  1 5 Sep  71,  26p 
Contract  DAAD05-69-C-0102 
See  also  Seminannual  progress  rept.  dated  15 
Mar  71,  AD-723  430. 

Descriptors:  (*Man-machine  systems.  Effec- 
tiveness). (* Performance  (Human),  Environ- 
ment), Stress  (Psychology),  Stress  (Physiol- 
ogy), Behavior,  Attention,  Motivation,  Nutri- 
tion, Vibration,  Climatology,  Exercise. 
Rhythm  (Biology),  Fatigue  (Physiology), 
Group  dynamics,  Military'  personnel. 

The  goals  of  the  research  are  the  determina- 
tion of  optimal  or  near  optimal  work/rest 
schedules  for  individuals  and  crews  to  yield 
high  performance  with  minimal  decrement 
overtime  followed  by  recovery  (after  rest)  to 
an  acceptable  high  performance.  The  experi- 
mentation is  further  aimed  at  consideration  of 
various  task  levels  and  differing  conditions  of 
environment.  Experimentation  in  progress 
continues  to  focus  attention  on  the  assess- 
ment of  human  performance  under  continu- 
ous operations  or  relatively  long  term  activity 
(2  hours  or  more  of  activity).  Effects  of 
circadian  rhythms  on  performance  will  also  be 
studied  in  connection  with  this  project. 

AD- ’725  555 

Army  Test  and  Evaluation  Command, 
Aberdeen  Proving  Ground.  Md. 

HUMAN  FACTORS  EVALUATION 
Materiel  test  procedure. 
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19  Jul  67,  8p  Rept.  No.  MTP- 10-2-505 

Descriptors:  *Army  equipment,  Human  engi- 
neering), (*Human  engineering,  Test  meth- 
ods), Test  facilities,  Questionnaires,  Tech- 
nicians, Personnel  management. 

Identifiers:  ““Common  engineering  test  pro- 
cedures. 

The  objective  of  the  materiel  test  procedure  is 
to  provide  general  testing  procedures  to  be 
used  in  conducting  the  human  factors  portion 
of  engineering  tests  of  general  supplies  and 
equipment,  and  to  evaluate  the  human  factors 
requirements  of  the  test  items  as  set  forth  in 
QMR’s,  SDR’s,  technical  characteristics,  and 
as  indicated  by  the  particular  design.  These 
procedures  are  to  be  used  along  with  other 
engineering  test  procedures  to  determine  the 
technical  and  maintenance  suitability  of  the 
test  items  for  service  tests.  (Author) 

AD-719  108 

Army  Test  and  Evaluation  Command, 
Aberdeen  Proving  Ground,  Md. 

HUMAN  FACTORS. 

Final  rept.  on  materiel  test  procedure. 

11  Dec  70,  22p  Rept  no.  MTP-7-3-510 

Descriptors:  ("Human  engineering.  Test 

methods),  Test  equipment,  Noise,  Visibility, 
Environment,  Military  facilities,  Control 
systems,  Display  systems,  Installation,  Reli- 
ability, Maintenance,  Safety,  Data  processing 
systems. 

Identifiers:  Evaluation,  ’"Common  engi- 
neering test  procedures,  "Avionics. 

Human  factor  considerations  applicable  to 
aviation  armament  and  avionics  are  described. 
(Author) 

AD-727  658 

Human  Resources  Research  Organization, 
Alexandria,  Va. 

MAN  IN  CONTROL  OF  HIGHLY  AUTO- 
MATED SYSTEMS 

Harry  L.  Ammerman,  and  William  H.  Melching. 
May  71,  14p  *Rept  No.  HUMRRO  profes- 
sional paper  7-71 
Contract  DAHC19-70-C-0(H2 
Presented  at  the.  Annual  Army  Human  Fac- 
tors Research  and  Development  Conference 
(16tii) . Part  Bliss,  Texas  Oct  70. 


Descriptors:  (““Performance  (Human),  Com- 
mand + control  systems),  (*  Automation, 

““Man-machine  systems),  Control  panels, 
Decisionmaking,  Reliability,  Human  engi- 
neering, F actor  analysis. 

Identifiers:  ““Highly  automated  systems. 

The  identification  of  what  man  should  do  as  a 
decisionmaker  and  controller  in  the  newly 
evolving  man-machine  systems  is  considered. 
Among  the  topics  discussed "Sre  man's  under- 
lying basic  functions  in  a complex  system, 
task  activities  for  individual  jobs  and  their 
analyses,  and  training  and  the  design  of  opera- 
tional job  positions.  (Author) 

AD-728  099 

Human  Resources  Research  Organization, 
Alexandria,  Va. 

SURVEY  OF  FACTORS  INFLUENCING 
ARMY  LOW  LEVEL  NAVIGATION. 
Technical  rept., 

Robert  H.  Wright,  and  Warren  P.  Pauley,  Jun 
71,  125p  Rept  No.  H 
Contract  DAHC19-70-C-0012 

Descriptors:  (““Navigation,  Low  altitude), 
(*:Human  engineering.  Navigation),  Display 
systems,  Navigation  computers,  Army  train- 
ing, Fluman  engineering.  Performance  (Hu- 
man), Mission  profiles,  Tlrmin,  Climatology. 
Identifiers:  Low  level  navigation. 

Factors  that  influence  low  level  navigation 
and  affect  Army  capability  in  conducting 
low  level  missions  were  surveyed.  The  nature 
of  improvements  in  equipment,  procedures, 
and  training  needed  to  provide  the  Army 
with  effective  operational  capability  in  low 
level  navigation  were  indicated.  Major 
conclusions  from  the  survey  include  limited 
capability  in  low  level  aerial  navigation  as 
affecting  future  Army  combat  effectiveness; 
the  rapid  reaction  mission  over  unfamiliar 
terrain  in  low  level  navigation;  potautiaL 
improvements  in  training  or  procedures  for 
present  navigation  system  and  equipment;  a 
simple  automatic  dead  reckoning  navigation 
computer  in  routine  attainment  of  opera- 
tionally effective  low  level  navigation  per- 
formance; and  reorienting  navigation  pro- 
cedures and  training  to  simplified  line  cf 
position  navigation  techniques.  (Author) 
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AD-717  257 

Human  Resources  Research  Organization. 
Alexandria,  Va. 

COLLECTED  PAPERS  PREPARED  UNDER 
WORK  UNIT  REPAIR.  TRAINING  OF 
ELECTRONICS  MAINTENANCE  PER- 
SONNEL. 

Nov  70,  41p  Rept  No.  HL'MR  RO  professional 
paper-27-70 

Contract  DAHC19-70-C-0012 

Descriptors:  (*  Maintenance  personnel, 

*Army  training),  ("Radio  receivers.  Maint- 
enance), Teaching  methods,  Radio  communi- 
cation systems.  Sequences,  Malfunctions,  Cir- 
cuits, Theory. 

Identifiers:  *Field  radio  repair  courses. 

Troubleshooting,  REPAIR  work  unit. 

Papers  in  the  collection  report  research  in  pro- 
cedures in  troubleshooting  and  repair  of 
Army  field  radios  that  resulted  in  the  con- 
struction of  evaluations  of  the  men  and  in 
experimental  training  courses.  The  papers 
are:  The  implementation  of  functional  con- 
text training  in  a radio  repairman  course;  A 
follow-up  study  of  experimentally  trained  and 
conventionally  trained  field  radio  repairmen ; 
REPAIR  III:  The  development  and  evalua- 
tion of  the  experimental  field  radio  repairman 
course;  REPAIR  IV:  Comparison  of  experi- 
mental and  standard  course  graduates  after 
field  experience.  (Author) 

AD-717  258 

Human  Resources  Research  Organization, 
Alexandria,  Va. 

AN  APPROACH  TO  STANDARDIZING 
HUMAN  PERFORMANCE  ASSESSMENT. 
John  D.  Engel.  Oct  70,  14p  *Rept  No. 
HUMRRO-professional  paper-26-70 
Contract  DAHC19-70-C-0012 
Presented  at  the  Planning  Conference  of 
'Standardization  of  Tasks  and  Measures  for 
Human  Factors  Research',  held  at  Texas 
Technological  Univ.,  Lubbock,  Tex.,  Mar  70. 

Descriptors:  (*Perfonnance  (Human),  Meas- 
urement), (*Test  construction  (Psychology), 
Standardization),  (*Performance  tests,  Stand- 
ardization), Test  methods.  Visual  acuity. 
Auditory  acuity.  Decisionmaking,  Symbols, 
Documentation. 


Identifiers:  Evaluation,  Task  analysis,  Tax- 
onomy, Manipulation. 

The  standardization  and  evaluation  of 
methods  of  performance  assessment  repre- 
sents an  important  area  of  concern.  In  this 
paper  an  approach  that  concentrates  on  two 
critical  areas  and  the  relationship  between 
them  is  discussed.  Tliese  are:  (a)  a task  clas- 
sification system,  and  (b)  a performance 
measure  classification  system.  An  example  is 
presented  that  illustrates  some  preliminary 
research  related  to  the  use  of  a performance 
measure  classification  system.  The  paper  con- 
cludes by  suggesting  areas  and  directions  for 
future  research  efforts.  (Author) 

AD-720  354 

Applied  Psychological  Services  Inc.,  Wayne, 
Pa.  Science  Center 

DIGITAL  SIMULATION  OF  THE  PERFOR- 
MANCE OF  INTERMEDIATE  SIZE  CREWS  : 
APPLICATION  AND  VALIDATION  OF  A 
MODEL  FOR  CREW  SIMULATION. 
Technical  rept., 

Arthur  I.  Siegel,  .T.  Jay  Wolf,  and  Joseph 
Cosentino.  Feb  71,  157p  *Rept  No. 
APS -707 1-5 

Contract  N000 1 4-68-C-0262 

Descriptors:  (*Naval  personnel.  Performance 
(Human)),  (* Man-machine  systems,  Mathe- 
matical models),  Organizations,  Curve  fitting. 
Mathematical  prediction,  Programming  (Com- 
puters), Digital  computers.  Simulation,  Mili- 
tary psychology.  Mission  profiles,  Correlation 
techniques,  Data  processing  systems, 
Vietnam. 

Identifiers:  Computerized  simulation,  Evalua- 
tion 

Based  on  current  psychological  theory,  irrili- 
tary  doctrine,  and  previously  developed  and 
tested  functional  relationships,  selected 
psychosocial,  personnel,  and  performance 
variables  are  woven  into  a stochastic  mathe- 
matical model  for  digitally  simulating  closed 
man-machine  systems  operated  by  crews  of 
from  4 to  20  members.  This  probabilistic 
model  is  presented  in  terms  cf  a detailed  logic 
and  processing  flew  sequence.  An  operational 
mission  (Vietnam  river  patrol)  selected  for  the 
evaluation  of  the  model  is  then  described  and 


c-5 


AMCP  706-196 


quantified  as  required  for  input  to  the  model. 
The  results  of  a series  of  evaluative  simulation 
runs,  in  which  the  computer  simulation  mode  1 
is  applied  to  the  mission,  are  reported.  These 
results  are  compared  with  independent  cri- 
terion data  for  the  same  mission.  (Author) 

AD-720  976 

Army  Test  and  Evaluation  Command, 
Aberdeen  Proving  Ground, Md. 

HUMAN  FACTORS  ENGINEERING. 

Materiel  test  procedure. 

27  Aug  69,  70p  Rept  No.MTP-6-2-502 

Descriptors:  (*Human  engineering.  Test 

methods),  (*Man-machine  systems.  Human 
engineering),  Display  systems.  Control  panels, 
Warning  systems.  Auditory  perception. 
Identifiers:  Common  engineering  test  pro- 
cedures, Auditory  warning  devices.  Visual 
displays. 

The  objective  of  the  Materiel  Test  Procedure 
is  to  provide  methods  of  determining  the 
appropriateness  and  effectiveness  of  human 
factors  aspects  at  man -machine  interfaces. 
(Author) 

AD-726  306 

Aerospace  Medical  Research  Lab,  Wright- 
Paterson  AFB,  Ohio 

HUMAN  FACTORS  AND  SYSTEMS  EFFEC- 
TIVENESS. 

Donald  A Topmiller.  1966,  1 1 p Rept  No. 
AMRL-TR-66-257 

Presented  at  the  Reliability  and  Maintain- 
ability Conference  (5th)  held  on  18-20  Jul  66. 
Availability:  Pub.  in  Annals  of  Reliability 
and  Maintainability,  v5  p!23-132,  1966, 

Descriptors:  (* Performance  (Human),  Effec- 
tiveness), (*Human  engineering.  Mainte- 
nance), Systems  engineering,  Reliability, 
Maintainability,  Mathematical  prediction. 
Statistical  analy  sis,  Errors,  Time, 

The  paper  treats  human  factors  in  systems 
effectiveness  as ' a basic  problem  relating 
human  performance  to  the  major  Systems 
effectiveness  parameters  of  operability,  reli- 
ability, and  maintainability.  The  latter  two 
parameters  are  topologically  related  to  the 
primary  dependent  human  performance  vari- 
ables used  in  laboratory  research  of  errors  and 


time  respectively.  The  need  is  outlined  to  not 
only  topologically  relate  these  variables  but  to 
also  develop  a framework  within  which 
human  engineering  design  can  be  quantitative- 
ly assessed.  Two  studies  weife  reviewed  in 
which  human  performance  (time)  was  predic- 
ted from  design  evaluations  and  analysis  of 
equipment.  (Author) 

AD-877  006 

Naval  Missile  Center,  Point  Mugu,  Calif. 
DYNAMIC  TARGET  IDENTIFICATION  ON 
TELEVISION  AS  A FUNCTION  OF  DIS- 
PLAY SIZE,  VIEWING  DISTANCE,  AND 
TARGET  MOTION  RATE. 

Technical  publications, 

R.  A.  Bruns,  R.  J.  Wherry,  Jr.,  and  A.  C. 
Bittner,  Jr.,  1 7 Nov  70,  64p  NMC-TP-70-60 
Distribution  Limitation  now  Removed. 

Descriptors:  ("Closed  circuit  television,  De- 
sign), (*Target  acquisition,  Closed  circuittele- 
vision),  (*Naval  aircraft,  Closed  circuit  televi- 
sion), Human  engineering,  Accuracy,  Tele- 
vision display  systems,  Ranges  (Distance), 
Motion,  Electrooptics,  Air-to-surface,  Simula- 
tion, Tactical  warfare. 

Identifiers:  *Reconnaissance  transparency 
projection  systems,  *Airbome  television 
systems. 

The  report  describes  the  results  of  a research 
study  whose  goal  was  the  evaluation  of  the 
effects  of  (1)  television  display  size,  (2)  dis- 
play degradation,  (3)  observer  viewing  dis- 
tance, and  (4)  target  motion  rate  on  target 
identification  performance.  Appendixes  to 
the  report  describe  (1)  a reconnaissance  trans- 
parency projection  system  used  to  simulate 
the  televisual  air-to-surface  tactical  target 
attacks  used  as  test  materiel  in  this  study  and 
(2)  a rating  procedure  used  to  compare  target 
briefing  photographs  in  terms  of  qualities 
important  for  target  identification.  The  target 
ratings  are  then  used  to  predict  target  identifi- 
cation performance  in  the  simulated  target 
attacks.  (Author) 

JPRS-53244 

Joint  Publications  Research  Service,  Wash- 
ington, D.C. 

INFORMATION  CHARACTERISTICS  OF 
DISPLAY  SYSTEMS  AND  THEIR  RELA- 
TIONSHIP TO  PSY  CHOPHY  SIOLOGICAL 
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INDICATORS  OF  OPERATOR  ACTIVITY 
Yu.  A.  Ivashkin.  28  May  71, 13p 
Trans,  of  Pribory  i Sistemy  Upravleniya 
(USSR)-4,p22-25,  1969. 

Descriptors:  (* Display  devices,  Information 
systems).  Computer  storage  devices.  Mathe- 
matical models,  Information  theory.  Infor- 
mation capacity,  Senses,  Visual  perception. 

N71-23210 

Advisory  Group  for  Aerospace  Research  and 
Development  Paris  (France). 

FREQUENCY  RESPONSE  FUNCTIONS 
AND  HUMAN  PILOT  MODELLING. 

Mar  71,  65 p AGARD-R-5 80-71 
Lang— Mostly  in  English,  Partly  in  French 

Descriptors:  * Aircraft  structures,  *Dynamic 
response,  ^Dynamic  structural  analysis, 
* Human  factors  engineering,  "Mathematical 
models,  *Pilot  performance,  *Transfer  func- 
tions, Frequency  response,  Functional  anal- 
ysis, Gusts,  Modal  response. 

Identifiers:  NASA  subject  code  01. 

For  abstract,  see  STAR  0912. 

AD-727  365 

Aerospace  Medical  Research  Lab,  Wright- 
Paterson  AFB,  Ohio. 

HUMAN  FACTORS  ENGINEERING  CON- 
SIDERATIONS IN  SYSTEM  DEVELOP- 
MENT 

Julien  M.  Christensen.  1969,  33p  Rept  No. 

AM  RL-TR-69-82 

Availability:  Pub.  in  Proceedings  of  the  DRG 
Seminar  on  Design  of  Equipment  for  Effec- 
tive Utilization  (5th),  21-23  Sep  69, 
pll3-144. 

Descriptors:  (*Human  engineering,  "Systems 
engineering),  Design. 

The  purpose  of  the  paper  is  fourfold.  First, 
the  life  cycle  in  the  design  and  development 
of  a typical  system  is  described.  Second,  the 
nature  of  human  factors  engineering  require- 
ments is  described.  Third,  these  requirements 
are  related  to  the  systems  development  cycle 
and,  finally,  a brief  evaluation  will  be  made  a£ 
the  tools  and  information  available  to  the 
human  factors  engineer.  (Author) 


N71-25943 

Man  Factors,  Inc.,  San  Diego,  Calif. 
DATABOOK  FOR  HUMAN  FACTORS 
ENGINEERS.  VOLUME  2 - COMMON 
FORMULAS,  METRICS,  DEFINITIONS. 

C.  Kubokawa,  P.  Selby.  andW.  Woodson,  Nov 
69,  371p  NASA-CR-1 14272 
Contract  NAS2-5298 

Descriptors:  *ConvSrsion  tables,  ^Formulas 
(mathematics),  *Human  factors  engineering, 
* Nomenclatures,  Manuals,  Nomographs, 
Symbols,  Units  of  measurement. 

For  abstract,  see  STAR  09  14. 

N71-25944 

Man  Factors,  Inc.,  San  Diego,  Calif. 
DATABOOK  FOR  HUMAN  FACTORS  EN- 
GINEERS. VOLUME  1 - HUMAN  ENGI- 
NEERING DATA. 

C.  Kubokawa,  P.  Selby,  and  W.  Woodson,  Nov 
69,  260p  NASA-CR-1 14271 
Contract  NAS2-5298 

Descriptors:  * Anthropometry,  *Environmen- 
tal  index,  * Human  behavior,  * Human  factors 
engineering,  * Physiological  factors.  Equip- 
ment specifications.  Graphs  (charts).  Manuals, 
Tables  (data). 

For  abstract,  see  STAR  09  14. 

N7  1-26160 

Bolt,  Beranek,  and  Newman,  Inc.,  Cambridge, 
Mass. 

STUDIES  OF  MULTIVARIABLE  MANUAL 
CONTROL  SYSTEMS  - A MODEL  FOR 
TASK  INTERFERENCE. 

J.  I.  Elkind,  W.  H.  Levison,  and  J.  L.  'Vferd.. 
May  71,  229p  NASA-CR-1746 
Contract  NAS2-3080 
Coll-  229P  Refs 

Descriptors  : *Manual  control,  * Mathemati- 

cal models,  *Pilot  performance,  *Task  com- 
plexity, Display  devices,  Man-machine  sys- 
tems, Performance  prediction.  Tracking  (posi- 
tion). 

For  abstract,  see  STAR  09  14. 

AD-727  254 

McDonnell  Douglas  Corp.,  Long  Beach.  Calif., 
Douglas  Aircraft  Div. 
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WHAT'S  WRONG  WITH  HUMAN  FACTORS 
IN  SYSTEMS  DEVELOPMENT  AND  HOW 
CAN  THIS  BE  CORRECTED 
Arthur  S.  Romero.  1 Sep  68,  8p  Rept  No. 
Douglas  Paper-5208 


Descriptors:  (*Human  engineering.  Man-ma- 
chine systems),  Systems  engineering.  Problem 
solving.  Philosophy,  Documentation,  Factor 
analysis,  Effectiveness. 


Problems  of  design,  development  and  mainte- 
nance of  sophisticated  systems  have  brought 
forth  a specialized  approach  to  information 
about  man  known  as  human  factors.  Observa- 
tion of  design  and  development  of  systems 
and  subsystems  from  the  conceptual  phase  to 
mockup  review  reveals  some  of  the  underlying 
causes  for  the  failure  to  incorporate  human 
factors  into  the  design.  These  causes  and  some 
recommendations  for  eliminating  them  from 
future  design  are  discussed.  (Author) 
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A 

Active  element  groups  (AEG), 5-8 
Allocation 

See:  Reliability  allocation 
See:  Man/machine  allocation 
Availability, 1-5,  1-13 

B 

Block  diagram 

See:  Reliability  diagram 

C 

Capability,  1-5 

Cause-consequence  charts,  6-3,  7-1 
construction,  7-6 
Chebyshev  limit,  9-12,  10-13 
Checklists.  A-l 

For  following  systems: 
communication,  A-7 
crew  station,  A-9 
electrical/electronic  A-3 
fire  protection.  A-8 
fuel/propellant,  A-l 
guidance/navigation,  A-6 
hydraulic.  A-2 
ordnance/explosive,  A-1  1 
pressure/pneumatic,  A-3 
propulsion,  A-l 
protection,  A-7 
vehicle  control.  A-5 
Correctability,  6-7 
Corrective  action.  8-1,11-4 
Correlation  (linear),  10-6 
Criticality,  8-1 

Cumulative  damage  models.  9-12 
Cumulative  polygon.  10-5 
Cut  sets 

See:  Minimal  cut  sets 

D 

Data  bank 

See:  Data  source 
Data 

package,  11-6 
sources,  B-l 
Anny  systems,  B-5 
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GIDEP,  B-l 

others.  B-7 
RAC,  B-4 
Definitions 

availability,  1-5,  1-13 
capability,  1-5 
correctability,  6-7 
dependability  , 1-5 
human  performance  reliability,  6-6 
maintainability  , 1 -9 
reliability.  1-1,  3-1 
system.  1-2 

system  effectiveness.  1 -4 
system  engineering.  1 -2 
THERP,  6-9 
Dependability.  1-5 
Design.  6- 1 

checklists.  See:  Checklists 
review.  1-12.11-1 
review  team.  1 1 -2 
Drift  failure.  10-4.  10-8.  10-13 

E 

ECAP.  10-17 
Environmental,  2-1 
combinations.  2-3 
designing  for,  2-8 
effects  of,  2-3,  2-4 
prediction.  2-1 
Ergonomics 

See:  Human  factors 
Explosion.  2-18 

Exponential  distribution.  3-3,  3-4,  4-11 

F 

Failure 

distributions,  3-2 
mode,  9-1 

modes  and  effects  analysis.  8-1 
rate.  3-3 
time.  3-5 

time  between  failures.  3-5 
Fault  trees 

See:  Cause-consequence  charts 

FMEA.  8-1 , 7-1 
FMECA.  8-1 
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Fraction  defective,  3-6 
Frequency  histogram,  10-5 

G 

Gaussian  distribution 

See:  s-Normal  distribution 
GIDEP,  B-l,  B-7 

H 

Hazard 

analysis,  1-14 
rate:  See:  Failure  rate 
Human 

engineering,  6-2 
factors,  6-1,  11-4,  B-6,  C-l 
perfonnance,  6-3 

THERP,  6-9 

1 

Interference  (stress-strength) 
See : Stress-strength  models 


Margin  cf  safety 
See:  Safety  margin 
Mechanical  failure,  9-5 
Minimal  cut  sets,  7-3,  7-7 
Models 
analytic 
analysis,  4-9 
building,  4-2 
simulation,  4-10 
failure,  9-1 

cumulative  damage,  9-12 
stress-strength,  9-2,  9-6 
Moisture,  2-17 

Monte  Carlo,  4-9,  7-15,  10-15 
N 

NASAP,  10-17 
Node-potential  model,  10-8 
s- Norma l distribution,  3-3,  3-4 

O 

One-shot  device,  3-6 
Optimization,  1-5,  1-6,  1-7,  5-13 


K 

Knowledge  organization  charts 
See:  Cause-consequence  charts 
See:  FMEA 

L 

Linear  cumulative  damage,  9-12 

Load  factors,  9-5 

Lognormal  distribution,  3-3,  3-4 

M 


P 

Parameter  variation  analysis,  10-1 
computer  programs,  10-17 
moments,  10-9 
Monte  Carlo,  10-15 
worst-case,  10-8 

Perfonnance  characteristic,  10-17 
Primary  event,  7-2 
Product  review 

See:  Design  review 
Production,  6-1 

review.  See:  Design  review 
Pseudo-random  numbers 
See:  Random  numbers 


Maintainability,  1-1,  1-9 
Maintenance 
See:  Repair 
Man /machine 
allocation,  6-5 
interactions,  6-3 
See  also  Human  factors 


R 


KAC  (Reliabilitv  Analysis  Center).  B-4.  B-7 
RAM.  1-10,  1 11 

See  also  : Reliability,  availability,  maintain- 
ability 
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Random  numbers,  4-10 
Redundancy,  1-8,  4-3 

REG  (Reasonable  Engineering  Guess),  9-11, 
10-13 
Reliability 

allocation,  5-1 
systems  with  repair,  5-23 
systems  without  repair,  5-2 
nonredundant,  5-2,  5-3, 5-8,  5-9 
redundant,  5-13,  5-20 

block  diagrams:  See:  Reliability  diagram 
diagram,  4-2,  8-2 
measures,  3-1 
Repair,  1-8,  1-9 

S 

Safety,  1-1,  1-13 
factors,  9-5 
margin,  9-5,  9-11 
Sand  and  dust,  2-17 
Sensitivities,  10-14 
Shock  and  vibration,  2-15 
Simulation,  7-15 
Stimulus,  6-4 

Stress-strength  models,  9-2,  9-6 
deterministic,  9-2 
probabilistic,  9-6 


System 

definition,  7-6 
effectiveness,  1-4,  6-2 
engineering,  1-2 
management,  1-2,  1-3,  6-2 

T 

Tails  (of  a distribution),  10-4 
TAMMS,  €3-5,B-8  ” 

Task  equipment  analysis  (TEA),  6-6,  6-8 

Temperature,  2-14 

Tensile  strength,  9-2 

THERP,  6-9 

Top  event,  7-2,  7-6 

Trade-off,  1-1,  1-15, 1-16,  6-6,  6-8 

V 

Variability  analysis 

See : Parameter  variation  analysis 

W 

Weibull  distribution,  3-3,  3-4 
Worst  case  analysis,  1 0-8 


1-3 


(AMCRD  - TV ) 


AMCP  706-196 


FOR  THE  COMMANDER: 


Adjutant  General 


ROBERT  L.  KIRWAN 
Brigadier* General , USA 
Chief  of  Staff 


DISTRIBUTION: 

Special 


ENGINEERING  DESIGN  HANDBOOKS 


Available  to  DA  actlvltlaa  fro*  Lattarkenny  Army  Depot.  ATTH:  aMXLE-ATD.  Chamber abort , FA  17201.  All  other  requoators— 

DOC,  lUvy,  Air  fore*.  Karln«  Corps,  noomilltary  Govarnmmr  agencies,  contractora.  private  lnduatry,  Individual*,  unlvariltle* . 

and  other. at  parch***  Handbook  a fro*  Hat  Iona  1 Technical  Information  Service,  Department  Qf  Commerce,  Springfield.  VA  a/IjI 

S ••  Preface  for  further  datalla  and  AHC  policv  regarding  requisitioning  of  claaaifled  document*. 


MfiCP  706- 


Tltle 


100  Dealjcn  Guidance  for  Produclbilitjr 

104  Value  Engineering 

106  Elenaota  of  Armament  Engineering,  Part  One. 

Source-  of  Energy 

107  Ele-meat#  of  Armament  Engineering,  Part  Two, 

Ballistic* 

JO*  Element*  of  Armament  Engineering,  Part  Three, 

Weapon  System*  and  Compensate 
139  Tablea  of  the  Cumulative  Binomial 

Probabili  tie* 

lift  Ex  per  l mane  a 1 Statistic*,  Section  L Raalc 

Concepts  and  Analyaia  of  Measurement  Data 

111  Exper iaental  Statistic*.  Section  2.  Analyeia 

of  Enumersclve  and  ClssaLf icstory  Data 

112  Experimental  Statistics.  Section  3 Planning 

and  Analyeia  of  Comparative  Experiment* 

113  Experimental  Statiatlca,  Section  L.  Special 

Topics 

114  Experimental  Ststiatlcs,  Section  5,  Tablea 

113  Environmental  Series , Part  Ona,  Basic 

Env 1 roome n t al  Concep  ta 

116  Envl  ronmenral  Series.  Part  Two,  Natural 

Environmental  Picture 

117  Environmental  Series.  Part  Three.  Induoed 

Environmental  Pactora 

118  Environmental  Series,  Part  lour.  Life  Cycle 

Envi r on  men  t • 

119  Environmental  Seriea.  Part  Five.  Glossary 

of  Environmental  Terma 

120  Criteria  for  Environmental  Control  of 

Mobile  Sy*tes& 

121  Packaging  and  Pack  Engineering 

123  Hydraulic  Fluids 

126  Reliable  Military  Electronica 

125  Electrical  Wire  and  Cable 

127  Infrared  Military  Syatema,  Part  One 

1Z8(S)  Infrared  Military  Syatema.  Part  Two  <U) 

130  Design  for  Air  Transport  and  Airdrop  of 

Materiel 

132  Maintenance  Engineering  techniques  (MET) 

133  Maintainability  Engineering  Theory  and 

Practice  (MCTAP) 

134  Maintainability  Guide  for  Design 

135  +lnventlons,  Patenta,  and  Related  Hatters 

1 36  **Servonechaniams . Section  1 , Theory 

131  “Servomechanisms.  Section  2.  Measurement 

and  Signal  Convertera 

138  “Servomechanlsaa , Section  3.  Amplification 

139  “Servonechaoisau , Section  6.  Power  Element* 

and  Syatem  Deaign 

140  Tra jectoriea . Olfferenclsl  Effects,  and 

Data  for  Projectile. 

150  Interior  Ballistics  of  Cun« 

158  Fundamental#  of  Ballistic  Impact  Dynamics, 

Part  One 

159(S)  Fundamental*  of  Ballistic  Iirpact  Dynamic#, 

Part  Two  (U) 

160(C)  Elements  of  Terminal  Balllatlcs,  Part  One, 

Kill  Meehan  isms  and  Vulnerability  (U) 

161(C)  Element*  of  Terminal  Balllatlcs,  Part  Two, 
Collection  and  Analysla  of  Data  Concern- 
ing Targets  (U) 

162 (SAD)  Element*  of  Terminsl  Balllatlcs,  Part  Three. 

Application  to  Mlssila  mad  Space  Target#  (U) 

163 (5)  *Baalc  Target  Vulnerability  (0) 

165  Liquid- Filled  Projectile  Design 

170(S)  Armor  and  Ita  Applications  (0) 

175  Solid  Propellants,  Part  One 

176  ASolld  Propellant*.  Part  Two 

177  Prqpertlea  of  Explosives  of  Military 

Incereat 

1?K  ♦Properties  of  Explosive#  of  Military 

Intereat,  Section  2 (Replaced  by  -177) 

179  Eaploalve  Trains 

180  Principles  of  Explosive  Behavior 

181  Explosion#  lo  Air.  Part  One 

182(SRD)  Explosions  lo  Air.  Part  Tw  (U) 

185  Military  Pyrotechnic#,  Part  One,  Theory  and 

Application 

186  Military  Pyrotechnics . Part  Two,  Safety, 

Procedure*  and  Clossary 

187  Military  Pyrotechnic#,  Part  Three.  Properties 

of  Materiel*  need  io  Pyrotechnic  Compositions 

188  Military  Pyrotechnic a.  Part  Pour.  Design  of 

Ammunition  for  Pyrotechnic  Effects 

189  Military  Pyrotechnics,  Part  Five,  Bibliography 

190  SArmy  Kupos  System  Aoalyala 

191  Syltm  Analysis  and  Co#t-Ef f ecrlveoeas 

192  Computer  Aided  Design  of  Mechanical  Syatema, 

Part  One 

193  COmputar  Aided  Oealga  of  Mechanical  Systems. 

Part  Two 

195  "Development  Guide  for  Eel lability.  Parr  One, 

Introduction.  Background,  and  Planning 
for  Army  Ka tar  lei  tequiremeora 

196  Development  Guide  for  Reliability,  Part  Two, 

Deaign  for  Rel f*bl l Ity 

197  ~Dewalopmemt  Guide  for  Reliability,  part  Three. 
Reliability  Prediction 

198  'Development  Guide  for  Reliability,  Part  Pour, 

Reliability  Meeau remr or 

199  ^Development  Guide  for  Reliability,  part  Five, 

Contracting  for  Reliability 
7DO  Development  Culda  for  Reliability,  part  Six, 

Mathematical  Appendix  and  Glossary 

201  8elleoptar  Engineering,  Part  Ona,  Preliminary 

Design 

202  "Sail copter  Engineering,  Part  Two,  Detail  Design 

203  Helicopter  Engineering.  Parc  Thram.  Qualification 

iHurteci 

204  Helicopter  Performance  Tasting 


205 
210 
211(0 
21 2(S) 
213(5) 
214<S> 
215(C) 
233 

237 

238 

239 
240(C) 
242 

246 


245(C) 

246 


247 

248 


250 

251 

252 

253 
255 
2*0 
270 
280 

281(SRD) 

282 

286 

290(C) 

291 

292 

2 93 
294(C) 

295(C) 


.297(C) 

300 

312 

313 
327 
329 
331 

335 (SRD) 
336(SRJ1) 


337($RD) 

338(SRD) 

340 

J41 

342 

343 

344 

345 
366 
347 
350 
36  s 
356 
35? 

360 

361 
410 
lll(S) 


412(0 


4ll($> 


Part  One.  Syaten 
Weapon 


Part  Three . Computers 
Part  Four.  Missile 


U S 
470 


Timing  Systams  and  Components 
Fuze  * 

Puzee,  Proximity,  Electrical,  Part  On*  (U) 

Fuzes,  Proximity,  Electrical.  Part  Two  (U)  ».-» 

Puzes.  Proximity.  Elcclrical.  Part  Three  (U) 

Fuses,  Proximity.  Electrical.  Part  four  (0) 

Puzee,  Proximity.  Electrical.  Part  Five  (0) 

Hardening  Wcgxsi  System*  Against  IF  Energy 
♦Mortar  Weapon  Syatems 
■Recoitteaa  Rifle  Weapon  Syatema 
"Small  Arms  Weapon  Syatema 
Cransde*  (U> 

Design  for  Control  of  Projectile  Flight  Char- 
acteristic* (Replace#  -266)  ^ 

Aaeutnl  t Ion,  Section  1, Artillery  A^unitioo — 

General,  vlth  Table  of  Contents.  Clossary, 
and  Index  for  Seriea 

Ammunition,  Secrlon  2,  Deaign  for  Terminal 
Effects  (V) 

♦A/tmunft  ton,  $*rtlon  3.  Design  for  Control  ol 
Flight  Chsrsr terlstics  (Replaced by  -742) 

Ammunition.  Section  4.  Design  for  Projection 
♦Ammunition,  Section  5,  Inspection  Aspects  of 
Artillery  Awunition  Design 
Ammunition,  Section  6,  Manufacture  of  Metallic 
Components  of  Artillery  Aemunltlon 
Guns-<eneral 
Muzzle  Devices 
♦♦Cun  Tube# 

♦Breech  Mechanism  Design 
Spectral  Characteristic#  of  Hustle  Flash 
Automatic  Weapons 
Propellant  Actuated  Devices 
Design  of  Aerodynamic ally  Stabilized  Frae 
Rockets 

Weapon  System  Effectiveneaa  (U) 

♦ Propulsion  and  Propellant.  (Replaced  hy  -285) 

Structure* 

U#rhead*--Cener*l  (U) 

♦Surface-to-AirMiaslles, 

Integration 

♦Surface— to -Air  Missiles,  Part  Two, 

Control 

♦Surfaca-to-Alr  Missiles. 

♦Surf  are- to- Air  Missiles. 

Armament  <U) 

♦Surface -to -Air  Mis* ilea.  Part  Five.  Counter- 
measurea  (U) 

♦Surf aoe-to-Air  Missiles,  Part  Six,  Structurea 
and  Power  Sourcen 

+Surfaca-to-AirMiasii*s,  Part  Seven.  Sample 
Problem  00 

Pabric  Deaign 

Rotational  Molding  of  Plastic  Powders 
Short  Fiber  Plastic  laae  Composites 
Plra  Control  Systems— General 
Fire  Control  Computing  Systems 
Compensating  Elements 

•Design  Engineers'  Nuclear  Effects  Manual  (DENEM), 
Vnl»e  L Munitions  and  Weapon  Syatema  (U) 

•Design  Engineers*  Nuclear  Effect#  Manual  (DEHEM) , 
Volume  II,  Electronic  Systems  and  Logistical 
Systems  (U) 

♦Design  Engineers'  Nuclear  Effecte  Manual  (DENBf). 

Volume  111,  Nuclear  Environment  (U) 

•Design  Engineers’  Nuclear  Effects  Manual  (DENEM), 
Volume  IV,  Nuclear  Effects  (U) 

Carriages  and  Mounts— General 
Cradles 

Recoil  System* 

Top  Carriages 
Bottom  Carriages 

Equlllbtators 
Elevating  Mechanism* 

Traversing  Hecbanlsmm 
Wheeled  Aaiphlhlans 
Tha  Automotive  Assembly 
Automotive  Suspensions 
Automotive  Bodies  and  Hulls 
Military  Vehicle  Elactrlcai  Systems 
Military  Vehicle  Power  Plant  ( online 
•Electromagnetic  Compatibility  (INC) 

•Vulnerability  of  Conmufltcat loo-Electronlc  and 

Electro-Optical  Syatema  (l’xcept  Culded  Miaallea) 
to  Electronic  Warfare.  Part  One,  Introduction 
and  General  Approach  to  Electronic  Watfsre 
Vulnerability  (U) 

.Vulnerability  of  Communication-Electronic  and 

Electro-Optical  Systems  (Except  Culded  Hisalles) 
io  Electronic  Warfare.  Part  TV®.  Electronic  Warfare 
Vulnerability  of  Tactical  Common Icat Iona  (U) 
•Vulnerability  of  Co^mml catlon-Electronlc  and 

P.lectrn-Opt  leal  System*  (Except  Guided  Missile#) 
to  Electronic  Warfare . Part  Three.  Electronic 
Warfare  Vulnerability  of  Ground-Based  and  Al  thorn  a 
Surveillance  and  Target  Acquisition  Radar#  (0) 
•Vulnerability  of  Cowunlcatlon-Elcctronlc  and 

Elac t ro-Op t lea 1 System  (Except  Guided  Kissilea) 
to  Electronic  Warfare.  Part  lour.  Electronic 
Warfare  Vulnerability  of  Avionic#  (If) 

•Vulnerability  of  Comsntn icat ion- Electronic  and 

Electro-Optical  Systams  (Except  Guided  Klaailmo) 
to  Electronic  Warfare,  Part  five,  Optlcal/Eiectrooic 
Warfare  Vulnerability  of  Electro-Optic  Syatema  (0) 
•Vulnerability  of  Communication-Electronic  and 

Electrn-Ontlcal  System#  (Except  Guided  HUslles) 
to  Electronic  Warfare.  Part  Six.  Electronic  Warfara 
Vulnerability  of  Satellite  Coiualcat  loo*  (O’) 

Sabot  Technology  Engineering 
•Metric  Cooveraion  Guide  for  Military  Application* 


•tltDIR  REVISION — not  available 
“REVISION  fWDEt  PREPARATION 
♦OBSOLETE — out  of  a rock 


